Malware Analysis Report

2024-09-09 16:17

Sample ID 240612-r733assgkl
Target a10cd0db7f6946f719c8f70001e3ab5e_JaffaCakes118
SHA256 741c972323eef28570a40adf6e36dc57a1aab08e20e340a2606c81a8bab1670a
Tags
banker discovery impact persistence collection credential_access
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

741c972323eef28570a40adf6e36dc57a1aab08e20e340a2606c81a8bab1670a

Threat Level: Shows suspicious behavior

The file a10cd0db7f6946f719c8f70001e3ab5e_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

banker discovery impact persistence collection credential_access

Obtains sensitive information copied to the device clipboard

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Queries information about running processes on the device

Queries the mobile country code (MCC)

Requests dangerous framework permissions

Queries the unique device ID (IMEI, MEID, IMSI)

Uses Crypto APIs (Might try to encrypt user data)

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks CPU information

Checks memory information

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-12 14:50

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to collect component usage statistics. android.permission.PACKAGE_USAGE_STATS N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an application to access data from sensors that the user uses to measure what is happening inside their body, such as heart rate. android.permission.BODY_SENSORS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an application to see the number being dialed during an outgoing call with the option to redirect the call to a different number or abort the call altogether. android.permission.PROCESS_OUTGOING_CALLS N/A N/A
Allows an application to read the user's calendar data. android.permission.READ_CALENDAR N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to monitor incoming MMS messages. android.permission.RECEIVE_MMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to receive WAP push messages. android.permission.RECEIVE_WAP_PUSH N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to use SIP service. android.permission.USE_SIP N/A N/A
Allows an application to write the user's calendar data. android.permission.WRITE_CALENDAR N/A N/A
Allows an application to write and read the user's call log data. android.permission.WRITE_CALL_LOG N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an application to add voicemails into the system. com.android.voicemail.permission.ADD_VOICEMAIL N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-12 14:50

Reported

2024-06-12 14:54

Platform

android-x86-arm-20240611.1-en

Max time kernel

47s

Max time network

178s

Command Line

com.chaozhuo.gameassistant

Signatures

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.chaozhuo.gameassistant

com.chaozhuo.crashhandler

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 log.umsns.com udp
CN 59.82.29.162:80 log.umsns.com tcp
US 1.1.1.1:53 api.phenixos.com udp
US 1.1.1.1:53 www.phoenixstudio.org udp
US 67.225.218.22:80 www.phoenixstudio.org tcp
US 67.225.218.22:80 www.phoenixstudio.org tcp
US 1.1.1.1:53 ww7.phoenixstudio.org udp
US 199.59.243.226:80 ww7.phoenixstudio.org tcp
US 1.1.1.1:53 www.google.com udp
GB 142.250.200.36:443 www.google.com tcp
GB 216.58.212.238:443 tcp
US 1.1.1.1:53 partner.googleadservices.com udp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.212.194:443 partner.googleadservices.com tcp
US 1.1.1.1:53 www.adsensecustomsearchads.com udp
GB 142.250.200.46:443 android.apis.google.com tcp
GB 216.58.212.206:443 www.adsensecustomsearchads.com tcp
US 1.1.1.1:53 afs.googleusercontent.com udp
GB 142.250.200.1:443 afs.googleusercontent.com tcp
GB 142.250.200.1:443 afs.googleusercontent.com tcp
US 1.1.1.1:53 parking3.parklogic.com udp
US 45.79.244.209:443 parking3.parklogic.com tcp
US 45.79.244.209:443 parking3.parklogic.com tcp
CN 59.82.29.163:80 log.umsns.com tcp
CN 59.82.29.248:80 log.umsns.com tcp
CN 59.82.29.249:80 log.umsns.com tcp
CN 59.82.31.154:80 log.umsns.com tcp
CN 59.82.31.160:80 log.umsns.com tcp

Files

/storage/emulated/0/Android/data/com.chaozhuo.gameassistant/cache/inject.sh

MD5 956d006a6ad3b7859fc1d6a5a62cbf29
SHA1 0c04bbfab373c6dfd057e55b6bed0e49d702fb0e
SHA256 4d689453741dc287592030a4a9aa24abdb469e52cf740db6b06ecd51efa8d84b
SHA512 068a066be803552906dd239d23b907abd4a44cfc6f07b7279c0e83fa92105cc9dc5b43e582c54831d004a72a8c8f9a8aeed23721d32d154b3d4945606f56286a

/storage/emulated/0/Android/data/com.chaozhuo.gameassistant/cache/com.chaozhuo.gameassistant.inject.dex

MD5 58cf455334d5cbe2a6d269e400473103
SHA1 97eda20a303ec21b49ebf87fec14eeaf59fa4498
SHA256 1bd3dfd8e39dcf08f74f217f7dea76a089e27d3860e81af1f4f39c58c4165130
SHA512 a88c791ea0ccc9521edc917fd3c98c5ca6620d3be60a27795df50be5c2232ee5a92280fa731b6f7232f0dd0d421cc21a7ee56eff6bfb8223c656e9d87916138d

/storage/emulated/0/Android/data/com.chaozhuo.gameassistant/cache/libinject.so

MD5 d46e8f2c2bfcd7b1d8e65e6834f94d02
SHA1 c9f92e0ccfdd2d2cb30b2744c4b8564a837233f2
SHA256 50a9b6addebb7027fb4aa2460b5e74d7ef059b8398de4acde48560c7c73897c8
SHA512 12db65e80cfa181f3385ed45853d37bacf84bff8ddce2acdb776b392af166706cdb8aff26aaac738db0a39ed6932e7cc458398a96c966eea2dc908d922f2f836

/storage/emulated/0/Android/data/com.chaozhuo.gameassistant/files/stats.dat

MD5 7265a1953ddda5e37527c75197b27520
SHA1 78974c44588ba38fb18d58de37a01e5cdf1a1527
SHA256 dedd7554a4be6be1a756a2d1e4cf86cb6d453e0a6b19475ecae514d7064e9c81
SHA512 fec5b4929eb33dac58211030d1f10225942073244e3d29bf91c9140aa01f4e97ce6060fa51ff614475a58274060ecdb48edfd44650e9ff2d358e5a3416459987

/storage/emulated/0/Android/data/com.chaozhuo.gameassistant/files/stats.dat

MD5 7df48ec01a375323cc8d532a24793bce
SHA1 2b3a9f3508d238d8c648843d565701a76f27a4f8
SHA256 73fe4030e1dcdfabe9725e314c95b24b3a3912960e2e8a93baf77971313e757d
SHA512 24c5cd8f9f6b2345f56d90a4f8d84bdedf80db69f9b948991846625801da9b15e5a89332b6c558b95e077f26c0a8b77de4d9168fea1a900937c29021190d8db9

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-12 14:50

Reported

2024-06-12 14:54

Platform

android-x64-20240611.1-en

Max time kernel

74s

Max time network

184s

Command Line

com.chaozhuo.gameassistant

Signatures

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.chaozhuo.gameassistant

com.chaozhuo.crashhandler

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.178.8:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.212.238:443 android.apis.google.com tcp
GB 172.217.169.46:443 tcp
US 1.1.1.1:53 log.umsns.com udp
CN 59.82.29.162:80 log.umsns.com tcp
US 1.1.1.1:53 api.phenixos.com udp
GB 172.217.16.226:443 tcp
GB 142.250.178.14:443 tcp
US 1.1.1.1:53 www.phoenixstudio.org udp
US 67.225.218.22:80 www.phoenixstudio.org tcp
US 67.225.218.22:80 www.phoenixstudio.org tcp
US 1.1.1.1:53 ww7.phoenixstudio.org udp
US 199.59.243.226:80 ww7.phoenixstudio.org tcp
US 1.1.1.1:53 www.google.com udp
GB 172.217.16.228:443 www.google.com tcp
US 1.1.1.1:53 partner.googleadservices.com udp
GB 142.250.179.226:443 partner.googleadservices.com tcp
US 1.1.1.1:53 www.adsensecustomsearchads.com udp
GB 172.217.169.14:443 www.adsensecustomsearchads.com tcp
US 1.1.1.1:53 afs.googleusercontent.com udp
GB 142.250.180.1:443 afs.googleusercontent.com tcp
GB 142.250.180.1:443 afs.googleusercontent.com tcp
US 1.1.1.1:53 parking3.parklogic.com udp
US 45.79.244.209:443 parking3.parklogic.com tcp
US 45.79.244.209:443 parking3.parklogic.com tcp
CN 59.82.29.163:80 log.umsns.com tcp
GB 142.250.178.4:443 tcp
GB 142.250.178.4:443 tcp
CN 59.82.112.112:80 log.umsns.com tcp
CN 59.82.29.249:80 log.umsns.com tcp
CN 59.82.31.154:80 log.umsns.com tcp
CN 59.82.31.160:80 log.umsns.com tcp

Files

/storage/emulated/0/Android/data/com.chaozhuo.gameassistant/cache/inject.sh

MD5 956d006a6ad3b7859fc1d6a5a62cbf29
SHA1 0c04bbfab373c6dfd057e55b6bed0e49d702fb0e
SHA256 4d689453741dc287592030a4a9aa24abdb469e52cf740db6b06ecd51efa8d84b
SHA512 068a066be803552906dd239d23b907abd4a44cfc6f07b7279c0e83fa92105cc9dc5b43e582c54831d004a72a8c8f9a8aeed23721d32d154b3d4945606f56286a

/storage/emulated/0/Android/data/com.chaozhuo.gameassistant/cache/com.chaozhuo.gameassistant.inject.dex

MD5 58cf455334d5cbe2a6d269e400473103
SHA1 97eda20a303ec21b49ebf87fec14eeaf59fa4498
SHA256 1bd3dfd8e39dcf08f74f217f7dea76a089e27d3860e81af1f4f39c58c4165130
SHA512 a88c791ea0ccc9521edc917fd3c98c5ca6620d3be60a27795df50be5c2232ee5a92280fa731b6f7232f0dd0d421cc21a7ee56eff6bfb8223c656e9d87916138d

/storage/emulated/0/Android/data/com.chaozhuo.gameassistant/cache/libinject.so

MD5 d46e8f2c2bfcd7b1d8e65e6834f94d02
SHA1 c9f92e0ccfdd2d2cb30b2744c4b8564a837233f2
SHA256 50a9b6addebb7027fb4aa2460b5e74d7ef059b8398de4acde48560c7c73897c8
SHA512 12db65e80cfa181f3385ed45853d37bacf84bff8ddce2acdb776b392af166706cdb8aff26aaac738db0a39ed6932e7cc458398a96c966eea2dc908d922f2f836

/storage/emulated/0/Android/data/com.chaozhuo.gameassistant/files/stats.dat

MD5 ffde0bd0c73740fcad4b047a96b5c55d
SHA1 185a66be098795f1080cf9ad7bdd76de40f0d202
SHA256 1b6b26886264bf9cad007b34eb2ba942ebdf86a0e82fc0071e513a9e73ce225b
SHA512 4b2bce9eeb56f7eb64002ed9aa57357fc1e442a19a5efe280746853abec1f8768fc9dec48b12e3e7eebac2aebbabc39895b5d9acb61f75830474443e2d54723c

/storage/emulated/0/Android/data/com.chaozhuo.gameassistant/files/stats.dat

MD5 9dc9979c7bf06481a3694b9c93f4e1a0
SHA1 6390f1338b50816526822b5b4008877623f1ab22
SHA256 0abadb6be294d9da83a434d2d87fe945a52512443939e319ecbf2d77c2b70c7a
SHA512 1be6b18c60b61a560530588623dd345aab0121446c4c8a82360be50a6dc29ed329618c759f725cfbfe6ef0b7ec8aae02bff7d280b50b138f0b9ac1507398d124