Malware Analysis Report

2024-09-09 16:18

Sample ID 240612-k1x45sxamc
Target a020523ae458c0c098016f13eb4faaa1_JaffaCakes118
SHA256 368087f68c00f498702217b0b45f8c33515eac375aec671f7a1e54b658308f8b
Tags
banker discovery evasion impact persistence collection credential_access
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

368087f68c00f498702217b0b45f8c33515eac375aec671f7a1e54b658308f8b

Threat Level: Likely malicious

The file a020523ae458c0c098016f13eb4faaa1_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

banker discovery evasion impact persistence collection credential_access

Checks if the Android device is rooted.

Obtains sensitive information copied to the device clipboard

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Reads information about phone network operator.

Queries information about active data network

Queries the mobile country code (MCC)

Queries information about the current Wi-Fi connection

Requests dangerous framework permissions

Listens for changes in the sensor environment (might be used to detect emulation)

Registers a broadcast receiver at runtime (usually for listening for system events)

Uses Crypto APIs (Might try to encrypt user data)

Checks memory information

Checks CPU information

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-12 09:04

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-12 09:04

Reported

2024-06-12 09:07

Platform

android-x86-arm-20240611.1-en

Max time kernel

24s

Max time network

158s

Command Line

com.msapps.ftdgdx

Signatures

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /system/app/Superuser.apk N/A N/A
N/A /sbin/su N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Listens for changes in the sensor environment (might be used to detect emulation)

evasion
Description Indicator Process Target
Framework API call android.hardware.SensorManager.registerListener N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.msapps.ftdgdx

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 h.online-metrix.net udp
NL 91.235.132.130:443 h.online-metrix.net tcp
US 1.1.1.1:53 connect.tapjoy.com udp
US 1.1.1.1:53 ws.tapjoyads.com udp
US 52.55.118.177:443 connect.tapjoy.com tcp
GB 18.244.155.17:443 ws.tapjoyads.com tcp
US 1.1.1.1:53 s3.amazonaws.com udp
US 52.216.33.72:443 s3.amazonaws.com tcp
US 52.216.33.72:443 s3.amazonaws.com tcp
GB 18.244.155.17:443 ws.tapjoyads.com tcp
US 1.1.1.1:53 data.flurry.com udp
US 74.6.138.65:443 data.flurry.com tcp
GB 212.71.250.229:80 212.71.250.229 tcp
US 23.92.31.125:80 23.92.31.125 tcp
US 1.1.1.1:53 content.offerwall.unity3d.com udp
GB 18.165.227.127:443 content.offerwall.unity3d.com tcp
GB 18.165.227.127:443 content.offerwall.unity3d.com tcp
US 1.1.1.1:53 live.chartboost.com udp
US 1.1.1.1:53 android.revmob.com udp
US 34.107.157.36:443 live.chartboost.com tcp
US 1.1.1.1:53 sdk.adbuddiz.com udp
US 1.1.1.1:53 api.vungle.com udp
US 44.209.167.75:80 api.vungle.com tcp
US 44.209.167.75:80 api.vungle.com tcp
US 44.209.167.75:80 api.vungle.com tcp
US 44.209.167.75:80 api.vungle.com tcp
US 44.209.167.75:80 api.vungle.com tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
US 44.209.167.75:80 api.vungle.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 142.250.178.10:443 semanticlocation-pa.googleapis.com tcp
GB 172.217.16.234:443 semanticlocation-pa.googleapis.com tcp

Files

/data/data/com.msapps.ftdgdx/files/.flurryagent.611b5edc

MD5 0d7588f9a18854ea316558b837ab0a39
SHA1 5f852e5e1e5bfa787a6ae7003ed48c3e21d762d0
SHA256 7ef05ed980894405f01725163d2aaedb6bc94030496060361f65fb7ed65ce816
SHA512 8d415d7a33c13dfd27382e8b30cd54051f66618932d8bbf7108e2c27fc680f5f94dd9c7c1b88c6e94c9d12623ae63e604f6ac07185ef7e41c616d4f1c6693137

/data/data/com.msapps.ftdgdx/files/.yflurrydatasenderblock.dadceba9-ea3a-417f-a67b-c133738bd8a6

MD5 5e543af1daadfd4880f7e6a9c9236fc7
SHA1 2420bf5b6e79c1f8d2bdb06a705f6b7f0a199e3c
SHA256 be84ae13cb17e1a72449707d255da1ae408f52b337217e2460939234b07740e3
SHA512 556d279b48c2dd21dfbb9f7d7382e9db5252ae744a56f1456aceab009e9ddd469af20f20240465e5b33bb41384bb9057f78106110c2b3264bc789edd2bc2c499

/data/data/com.msapps.ftdgdx/files/.YFlurrySenderIndex.info.AnalyticsData_62GSSXFVDSWXMBV73XWK_182

MD5 da03c3f9ead787312030ad005ab27887
SHA1 ee11f8a6765af071a03b1a62a756e672b56bf5bd
SHA256 0dddbd269109311c4977a9d766cfd225cf2b25c7810e668996e6a9131b950540
SHA512 6544a1d79fe024938f36f5b29a55cee936f2b94ff7ce1cacceb1a182f5c02857bdca31e62cb00a021478e3847f3bfd096fb11a5667d5d643d38df8b431bf81d0

/data/data/com.msapps.ftdgdx/files/.YFlurrySenderIndex.info.AnalyticsMain

MD5 dd1a8e84a33f52267be5afba0225272f
SHA1 422a6cb5aa8e5205d776d502d6b71376cceec2e7
SHA256 3674c1ebb896af3fc00aa5392bd76d66c6e31b5c942acf4e84f8ca72dc4f271a
SHA512 0192f79c9b3730700f84cce0d0579e1d15d1a640eacc3b5b93f95833a86c3cdaa736fb70d42f41a7aa05018579975ca8b8f45779205abff67a9eed3a35d89879

/data/data/com.msapps.ftdgdx/databases/vungle-journal

MD5 8162aa3ab4eb84383b50d5be5910a058
SHA1 d7b02b720c3c6b0495a7f92e4dbfc4d74eb282e9
SHA256 7b6a4e9abe7b7677b9c44e92f0747156f990c1c51512ae54874c523dcd28c3bd
SHA512 f0be1df40786ee866bbbc58c7c9129f20101bde75b630542253764291c75ddaea34fc0a0695a4673c76f3c3fad5da885fc54a370964091f0fe62849d657c3d8a

/data/data/com.msapps.ftdgdx/databases/vungle

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.msapps.ftdgdx/databases/vungle-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.msapps.ftdgdx/databases/vungle-wal

MD5 8921e8d327bd75956d670da0b4aab86b
SHA1 64f0fd35be0957e2d8b90ccde9f02e9ceb30c45f
SHA256 b0d819e07c8d4c7555142daff9d56236ac4159171c14b27e282ffdcf3dd92513
SHA512 dc8457f18b30343c104ef7640595d131a6579e79c5c30f5db196457c642d997175d210946532108900d934ac598e5c622fcdad69eee47fcf3809728874f8ae56

/storage/emulated/0/.chartboost/.adId

MD5 0d210bfb2a0e1f1b4c082a6a0f79de07
SHA1 bb8ed9e364db79d1d9f2fcde3f15091893222faa
SHA256 988722c23d78a46021d0e7ca9deee7aa8bb83288269174ffacb7316f381cca1d
SHA512 536e9867b0df29b15b789f8949be6ab37fcdeccb9d39ded981da7dc2052c9533d0ec0e6f9a5444132977605d372e1463d91bdde41b528ff2ca3f65ab152325c1

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-12 09:04

Reported

2024-06-12 09:07

Platform

android-x64-arm64-20240611.1-en

Max time kernel

114s

Max time network

189s

Command Line

com.msapps.ftdgdx

Signatures

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /system/bin/su N/A N/A
N/A /system/app/Superuser.apk N/A N/A
N/A /sbin/su N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Listens for changes in the sensor environment (might be used to detect emulation)

evasion
Description Indicator Process Target
Framework API call android.hardware.SensorManager.registerListener N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.msapps.ftdgdx

Network

Country Destination Domain Proto
GB 142.250.187.206:443 tcp
GB 142.250.187.206:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 h.online-metrix.net udp
NL 91.235.132.130:443 h.online-metrix.net tcp
US 1.1.1.1:53 connect.tapjoy.com udp
US 54.197.47.7:443 connect.tapjoy.com tcp
US 1.1.1.1:53 ws.tapjoyads.com udp
GB 18.244.155.55:443 ws.tapjoyads.com tcp
US 1.1.1.1:53 s3.amazonaws.com udp
US 54.231.159.0:443 s3.amazonaws.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.212.232:443 ssl.google-analytics.com tcp
US 54.231.159.0:443 s3.amazonaws.com tcp
GB 18.244.155.55:443 ws.tapjoyads.com tcp
US 1.1.1.1:53 content.offerwall.unity3d.com udp
GB 18.165.227.39:443 content.offerwall.unity3d.com tcp
GB 18.165.227.39:443 content.offerwall.unity3d.com tcp
US 23.92.31.125:80 23.92.31.125 tcp
GB 212.71.250.229:80 212.71.250.229 tcp
US 1.1.1.1:53 data.flurry.com udp
US 74.6.138.65:443 data.flurry.com tcp
US 1.1.1.1:53 live.chartboost.com udp
US 1.1.1.1:53 android.revmob.com udp
US 1.1.1.1:53 sdk.adbuddiz.com udp
US 34.107.157.36:443 live.chartboost.com tcp
US 34.107.157.36:443 live.chartboost.com tcp
US 1.1.1.1:53 api.vungle.com udp
US 18.215.52.187:80 api.vungle.com tcp
US 18.215.52.187:80 api.vungle.com tcp
US 18.215.52.187:80 api.vungle.com tcp
US 18.215.52.187:80 api.vungle.com tcp
US 18.215.52.187:80 api.vungle.com tcp
US 18.215.52.187:80 api.vungle.com tcp
US 18.215.52.187:80 api.vungle.com tcp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 tcp
US 18.215.52.187:80 api.vungle.com tcp
GB 216.58.201.99:443 tcp
US 1.1.1.1:53 api.vungle.com udp
US 100.25.59.192:80 api.vungle.com tcp
US 1.1.1.1:53 api.vungle.com udp
US 34.231.213.76:80 api.vungle.com tcp

Files

/data/user/0/com.msapps.ftdgdx/files/.flurryagent.611b5edc

MD5 4d42524426cbbd40960a13d36a8ace1a
SHA1 523e39ad429f9e7440e1d08f23d72b01bb6b9d1d
SHA256 43b6e8f1d6c920d4ee6d945fae705fd5e938484207c8b2ab0b0dfb57f22748f0
SHA512 eb2ded43f2999c570fda693cf6ff36e8d5bf8a903ba86630e2bd60590f9a4ea3d98340672326f8126b01f3fb32bd1dab1148851fedd13afd568cd8334c1d4c48

/data/user/0/com.msapps.ftdgdx/files/.yflurrydatasenderblock.7104b9fb-14dc-4dd6-b4a3-31a178cbefea

MD5 78af77bbffb97430a661446b29120b98
SHA1 f3821ed3a9618c22ba38a2b04b909fa9a1581ce3
SHA256 7023b48d906cc66699ddbf451c6ab16c1d48cb96cab58e88e4692691b10e99d3
SHA512 7e8f958ca237d841969025c946ff8efaa1fd996a9100c11529f6d0e9bc3fd3f0d9be0ae90b475d79ac34aab8feecca3cbc24ecbb8f9688907514386756201c1b

/data/user/0/com.msapps.ftdgdx/files/.YFlurrySenderIndex.info.AnalyticsData_62GSSXFVDSWXMBV73XWK_182

MD5 41261770dc5e554ed45025877f539ccd
SHA1 8aeb52a47aaaa55a35902746ee6876a665368c56
SHA256 2ac2890d732560f9514d32bebea44eb2ac01c9d6c3ecd215f209b05c07617386
SHA512 86d88f06926c9bf08f2ba8bc8d727249e58a4c142460363d149c514bccb668a002e185cab6cdccb73a917ef510d4ff77cb2381f0d0a1117676f19e7ef05b4698

/data/user/0/com.msapps.ftdgdx/files/.YFlurrySenderIndex.info.AnalyticsMain

MD5 dd1a8e84a33f52267be5afba0225272f
SHA1 422a6cb5aa8e5205d776d502d6b71376cceec2e7
SHA256 3674c1ebb896af3fc00aa5392bd76d66c6e31b5c942acf4e84f8ca72dc4f271a
SHA512 0192f79c9b3730700f84cce0d0579e1d15d1a640eacc3b5b93f95833a86c3cdaa736fb70d42f41a7aa05018579975ca8b8f45779205abff67a9eed3a35d89879

/data/user/0/com.msapps.ftdgdx/databases/vungle-journal

MD5 01e0e89d0e7afa9a2973e3dcdcb03617
SHA1 ffd33c8712c6f33e44ce6c4ea2ca47dcb29ae411
SHA256 4781a44188ccc9b6bfb81bb0a22d3b37b9908e573e0e163b7ac46cd5004a44bf
SHA512 fe5cf9f97fb13e7f4e7d6fbe681b35bbf20262bb206d1d288d1fdcd28b8e4275a49a1ceb98f20fb0385c4e2d6c9de6a17951a9cccada18d055bdfda5f4aaf2a8

/data/user/0/com.msapps.ftdgdx/databases/vungle

MD5 a464856525ce2164b35dc07a50f2a94b
SHA1 81645f1eed3e463a3661996d653018aa326b3a4c
SHA256 e32376e11a44c8ffde9b6b2fb67f8ed2f83b761432b5844e1dfc571e6aa29274
SHA512 3362aca93c08db70118857fbee9899cf46b2089c5e306cbef9dd5862b79249e8662b34a4392d33bceeefbc7d02d27cc7a9c211e35090f303aaabad70b368a935

/data/user/0/com.msapps.ftdgdx/databases/vungle-journal

MD5 33e0f7732d3d6dba6ac42c5413e6988f
SHA1 9c3552fc304439fb482ebbebc352c6a0dca3f732
SHA256 1deec67a094fef0a8bca64a70d02b7d0f23071befc790aef7d07b342f85021ca
SHA512 ce07f73b41e18c89beb49234395123dbb26d0ef51fc09f8cf272080b00cd27d849eee011271a834d1049ec3fa3a5a2e280298a1eaa534e3307a07d6b79fc0f7c

/data/user/0/com.msapps.ftdgdx/databases/vungle-journal

MD5 c765bb40255942dfb78485580138abcb
SHA1 0a006715c8efd3ba68818ee188a9520df9f07101
SHA256 6a37a6ea1074d44fe80bdbb1d54a26553eae490ca45f36312cec478d2e3cbfc0
SHA512 3a00edaf1cb3eb0485d933d4db468acb51ac9e503df6e525394301f28094aabae7cdca78eb9b99ce574dbe699d8cacd251dc34f3b83578b20f857aa560b47da8

/storage/emulated/0/.chartboost/.adId

MD5 0d210bfb2a0e1f1b4c082a6a0f79de07
SHA1 bb8ed9e364db79d1d9f2fcde3f15091893222faa
SHA256 988722c23d78a46021d0e7ca9deee7aa8bb83288269174ffacb7316f381cca1d
SHA512 536e9867b0df29b15b789f8949be6ab37fcdeccb9d39ded981da7dc2052c9533d0ec0e6f9a5444132977605d372e1463d91bdde41b528ff2ca3f65ab152325c1