Malware Analysis Report

2024-10-19 11:54

Sample ID 240612-mmbp4a1epe
Target a05769d0e61297067bb37b2c0b8001a2_JaffaCakes118
SHA256 b382868f93036193ac2deed4e18257a24f193a2361597989eeef911a6275307c
Tags
banker collection discovery evasion impact persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

b382868f93036193ac2deed4e18257a24f193a2361597989eeef911a6275307c

Threat Level: Likely malicious

The file a05769d0e61297067bb37b2c0b8001a2_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

banker collection discovery evasion impact persistence

Checks if the Android device is rooted.

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Requests cell location

Queries information about running processes on the device

Queries the unique device ID (IMEI, MEID, IMSI)

Requests dangerous framework permissions

Queries information about active data network

Listens for changes in the sensor environment (might be used to detect emulation)

Uses Crypto APIs (Might try to encrypt user data)

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks CPU information

Checks memory information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-12 10:34

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an application to request installing packages. android.permission.REQUEST_INSTALL_PACKAGES N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to request installing packages. android.permission.REQUEST_INSTALL_PACKAGES N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an application to request installing packages. android.permission.REQUEST_INSTALL_PACKAGES N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to read the user's calendar data. android.permission.READ_CALENDAR N/A N/A
Allows an application to write the user's calendar data. android.permission.WRITE_CALENDAR N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-12 10:34

Reported

2024-06-12 10:37

Platform

android-x86-arm-20240611.1-en

Max time kernel

6s

Max time network

157s

Command Line

com.ming.wbplus

Signatures

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /system/bin/failsafe/su N/A N/A
N/A /system/sd/xbin/su N/A N/A
N/A /system/xbin/su N/A N/A
N/A /data/local/su N/A N/A
N/A /data/local/bin/su N/A N/A
N/A /data/local/xbin/su N/A N/A
N/A /sbin/su N/A N/A
N/A /system/bin/su N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Requests cell location

collection discovery evasion
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getCellLocation N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Listens for changes in the sensor environment (might be used to detect emulation)

evasion
Description Indicator Process Target
Framework API call android.hardware.SensorManager.registerListener N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.ming.wbplus

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 mazu.3g.qq.com udp
CN 14.18.202.208:80 mazu.3g.qq.com tcp
CN 14.18.202.208:443 mazu.3g.qq.com tcp
US 1.1.1.1:53 stat.ads.toponegames.mobi udp
US 1.1.1.1:53 cloud.xdrig.com udp
US 1.1.1.1:53 i.tddmp.com udp
CN 116.196.71.30:80 i.tddmp.com tcp
CN 129.204.155.121:443 stat.ads.toponegames.mobi tcp
CN 116.198.14.47:443 cloud.xdrig.com tcp
CN 129.204.155.121:443 stat.ads.toponegames.mobi tcp
GB 216.58.201.110:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp

Files

/data/data/com.ming.wbplus/databases/MessageStore.db-journal

MD5 aa878355dd4454a796ec087ecd4f630a
SHA1 42f9193e53732e5d62db51cd999a709ece68eb85
SHA256 3f7df446c2215fe349ab1cd0a2a570deff3d8901b040c8f16fa8309696ba6830
SHA512 f2c399f8bdaeff24607ee699750b5af239e0c5ac4cc3f4b650452272fdf971bd16be9428e10b4531a291d456dbe2d2bc09c225d688f0e209f908d2106b1d2dfb

/data/data/com.ming.wbplus/databases/MessageStore.db

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.ming.wbplus/databases/MessageStore.db-shm

MD5 cf845a781c107ec1346e849c9dd1b7e8
SHA1 b44ccc7f7d519352422e59ee8b0bdbac881768a7
SHA256 18619b678a5c207a971a0aa931604f48162e307c57ecdec450d5f095fe9f32c7
SHA512 4802861ea06dc7fb85229a3c8f04e707a084f1ba516510c6f269821b33c8ee4ebf495258fe5bee4850668a5aac1a45f0edf51580da13b7ee160a29d067c67612

/data/data/com.ming.wbplus/databases/MessageStore.db-wal

MD5 ee6c7b5d4f41dea5fc4d8a5be626afcb
SHA1 336ddf8c2030d92a0341ccca1b6471285b3ebdd4
SHA256 1a372f65f18c9ea38d360e406999e390527907b76ab53d18a615b20af8280b45
SHA512 97a0f7f2bf3545b3c040c7022970d927abc161c978b2d4e709405a4c7e97ae148f1c8a791e5feee97ff256f34be3a00e18884442e29a6877b321ac69c5075f90

/data/data/com.ming.wbplus/databases/MsgLogStore.db-journal

MD5 4f8484476f79941cfcad5a9b7fcd3788
SHA1 9f116014ed419d0e4e5e3d407fec0650e67373f6
SHA256 afa4a0e1f4b129e2260f399febb2e807cd4425cc40a8c26d28e90b84ae6bc6f1
SHA512 654280e13ce8367c1d6e3a3f2a8f280392bad21d77cde09b0782039db776a817d9417afd479e28f8f3bd6c867a04b0fa2cfeebf9fe5954e419f4b4bc427b1e92

/data/data/com.ming.wbplus/databases/MsgLogStore.db-wal

MD5 c8dfff2a0f48f25af2f8c4adf704b838
SHA1 3191bdc6ae74e4074b7c8493ce244a905ebba1ec
SHA256 f7e044ee361b2124a266f5ea48690795edb1d0f957e875bb97f1ba2add6037aa
SHA512 537419824a689dc0f53f9ae05e33a58856e5da3d79f53fc5e4283c16067742dcbf36f7640834bdde58b4c713190d8785fed30db21c5af35f99244077343078c1

/data/data/com.ming.wbplus/app_crashrecord/1004

MD5 87cb254252a25b99b5334dfea17fb994
SHA1 3261a1562ab70365d0cd3d9207b252babcecd8c1
SHA256 dbf3c8a5f227560851d6c44258f72f157e7545782c01218f29353cbf73f960b0
SHA512 da22af477694174d1e063942f575990e9fafc6a2a9a8fc99d310f44a24dbd390d6fa3f7c8f991f8bd1326dfdeeb479afd2f7cbc01498abeb9d3d06f4ec47549c

/data/data/com.ming.wbplus/databases/bugly_db_-journal

MD5 20886f227e227dabbe88f54ab50a14b9
SHA1 812799bcfffe09ad7fda2ae65b69ce861e76cd69
SHA256 490db430e5cfb2fd809c030b697c72bce75c4412f56844f7e1077772750ad441
SHA512 53f900e27161759cc1d9c7be8e3e0c8e269567ef03310fc3dec10bd00fe0f3d8cf43842c642893c3ab32db266b9b0db768f5932fcd0fadfe55a85a3566318be8

/data/data/com.ming.wbplus/app_crashrecord/1004

MD5 0d210bfb2a0e1f1b4c082a6a0f79de07
SHA1 bb8ed9e364db79d1d9f2fcde3f15091893222faa
SHA256 988722c23d78a46021d0e7ca9deee7aa8bb83288269174ffacb7316f381cca1d
SHA512 536e9867b0df29b15b789f8949be6ab37fcdeccb9d39ded981da7dc2052c9533d0ec0e6f9a5444132977605d372e1463d91bdde41b528ff2ca3f65ab152325c1

/data/data/com.ming.wbplus/databases/bugly_db_-wal

MD5 30e4c17a2c674d6f8ffcc030961549c7
SHA1 bd89dea12262b321884eb47710ca0fb93858b5b3
SHA256 3b1f81d5d43544daf8316e5a4d0ed12b55db76a34aa24124b87254899278149d
SHA512 5ed9fff368351404310619cd3d534d35630faf9b60f0ff19ca85ad7d12aa92e98cb7e7248cbacc21bdeb42417515648b7768e1f889dc42ccd1ad895bdea11587

/data/data/com.ming.wbplus/app_turingfd/11/36_998

MD5 ad675ce82842788181aed91dd840bfda
SHA1 6f74325b60aaa515cfa44ad0479593e743f238c2
SHA256 96c07f45e37396ff74e4229bc05494b639cf306033e47049174d1d6e005bb8f8
SHA512 27f21762802be051e69ed106ccd3f7c7e9475a0330435d07689e1c92665e4cdee2476c47b60f929d0c3fd8eb46f98db2bfdf7b3f7a4cff614069ee72f923fed0

/data/data/com.ming.wbplus/app_turingfd/11/36_998

MD5 b568bd0b83dd27b6a3179e0f71b6fa1c
SHA1 b32932160661c31223dc8ee1bea251b26e291943
SHA256 f58682783a0b066ed9c37193cb794f8db32228aae9b28f6164bff5d7f87bd23c
SHA512 0413d74b0c620efac7d419875dfc1445a37c5d77fec4e36567db271aaecce0de8cca2cb174070a0bf4fb58aa524aa585317aee3f2914a01f986adf70170bcbaf

/data/data/com.ming.wbplus/files/40805.dat

MD5 fe9fc3c1144eab3312709686bafc92e6
SHA1 54cd617461f1358dcb9195378a3818f4d5240cd0
SHA256 ee3b5d4f6c6640a937e8b8e7a46c53da29676cae8cd7f84b0a683989e6c57afc
SHA512 c66205ba3fda384457a39b48c2a56f2137f31086ecb624956089af1e77ee681ecdfaa77b8a9256b96326ecf1e242496d5d898449406787d428d921ea49cea7b9

/data/data/com.ming.wbplus/app_turingfd/mpdc

MD5 50c0b477e7f4f77f230a3ccc3b0021e4
SHA1 ab32e3b4946e34d4440fdb0ad8ffd5f9aa74894d
SHA256 2fb7b57dfac42cef9b08ec9a8a7262972dd2a8f66b3d20a5b5117e8f42f78994
SHA512 7675d38777836d31bb8e9a51a5d107a5b46830f2f93f14e7f43a27672cb143d2422d5c6bdd721c791827db8fdc034c2dc9117bca3af854832fc7d142b8043e84

/data/data/com.ming.wbplus/databases/npth_log.db-journal

MD5 08220733f18d0133e1a565f18d103075
SHA1 1975a58e6b863f2d09515299fb112afbfa2fc698
SHA256 822c02f79cde64f477272609d1c92cc81183b82a06f4a2125c0603ba0ccc91d9
SHA512 e1a12909bd1b23fbda0d890f124e231adb92074e4ebf6495d72b814a0c516cd4884f3d62fca1414080b8552601e2d1f55f6fac386965972f3c2bbe1258588ff0

/data/data/com.ming.wbplus/databases/npth_log.db-wal

MD5 6b21c78fbf3f08defe91af66a186fac8
SHA1 45922191bcf1eea457a8ea2e82193a5b922fe81b
SHA256 45bd0171836896c448dd35590a4520a48292aea13d6c6108202ceae4eafe87fa
SHA512 fa40551cc5999689958ea041f0b5053e9d0ec450fb7b47df8fe3793708b6bda5735d371d9cfb5e7cf3b96df2e5e9f9047486362f2c06b32bb1a1c6d163a07333

/storage/emulated/0/Android/data/com.snssdk.api/cache/clientudid.dat

MD5 8e78ca369d27d0ead00e5ef2db838df5
SHA1 fd1737f86ad7308ebe1cc9cf95eb2b11c7c46c7b
SHA256 0efedb14a884ffc830558a06ff0ed2b3d0b8a4105a2c4ecc6466ce2788a60831
SHA512 e0ed39b87a9a48be1c9c891549696719fd69a232e09e628b27e67abce0270e0b137f4a8f008f5458aa4683d4f084940382cdb686c50742507c9fde04a64f8df0

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-12 10:34

Reported

2024-06-12 10:34

Platform

android-x86-arm-20240611.1-en

Max time network

4s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
GB 172.217.169.74:443 tcp
N/A 224.0.0.251:5353 udp

Files

N/A