Malware Analysis Report

2024-07-28 12:03

Sample ID 240612-t63fgssaja
Target a15ef404c82f116b2797bd03403be439_JaffaCakes118
SHA256 73c77423186927158f0d56e6a6a041cee52c5c881f726b5bdc7a2b232bc64d92
Tags
discovery impact persistence collection credential_access
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

73c77423186927158f0d56e6a6a041cee52c5c881f726b5bdc7a2b232bc64d92

Threat Level: Shows suspicious behavior

The file a15ef404c82f116b2797bd03403be439_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery impact persistence collection credential_access

Obtains sensitive information copied to the device clipboard

Requests dangerous framework permissions

Queries the mobile country code (MCC)

Registers a broadcast receiver at runtime (usually for listening for system events)

Uses Crypto APIs (Might try to encrypt user data)

Checks CPU information

Checks memory information

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-12 16:41

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an application to request installing packages. android.permission.REQUEST_INSTALL_PACKAGES N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-12 16:41

Reported

2024-06-12 16:44

Platform

android-x86-arm-20240611.1-en

Max time kernel

50s

Max time network

186s

Command Line

cn.x181791.app

Signatures

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

cn.x181791.app

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 216.58.204.74:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 gate.upin158.com udp
CN 39.100.76.72:80 gate.upin158.com tcp
GB 216.58.201.110:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
US 1.1.1.1:53 www.181791.cn udp
US 104.166.71.72:80 www.181791.cn tcp
US 104.166.71.72:80 www.181791.cn tcp
US 1.1.1.1:53 push.zhanzhang.baidu.com udp
US 142.4.127.251:13769 tcp
US 1.1.1.1:53 hm.baidu.com udp
US 1.1.1.1:53 sstatic1.histats.com udp
CN 14.215.182.140:443 hm.baidu.com tcp
CN 14.215.182.140:443 hm.baidu.com tcp
CN 14.215.182.140:443 hm.baidu.com tcp
CA 54.39.128.162:80 sstatic1.histats.com tcp
CA 54.39.128.162:80 sstatic1.histats.com tcp
CN 14.215.182.161:80 push.zhanzhang.baidu.com tcp
CN 14.215.182.161:80 push.zhanzhang.baidu.com tcp
CN 14.215.182.140:443 hm.baidu.com tcp
US 1.1.1.1:53 blog.izxblog.com udp
US 104.21.7.22:443 blog.izxblog.com tcp
US 1.1.1.1:53 js1.maifcw.com udp
CN 116.153.39.128:443 js1.maifcw.com tcp
CN 116.153.39.128:443 js1.maifcw.com tcp
CN 111.45.11.83:443 hm.baidu.com tcp
CN 111.45.11.83:443 hm.baidu.com tcp
CN 111.45.11.83:443 hm.baidu.com tcp
CN 39.156.68.163:80 push.zhanzhang.baidu.com tcp
CN 39.156.68.163:80 push.zhanzhang.baidu.com tcp
CN 111.45.11.83:443 hm.baidu.com tcp
CN 120.233.179.103:443 js1.maifcw.com tcp
CN 120.233.179.103:443 js1.maifcw.com tcp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-12 16:41

Reported

2024-06-12 16:44

Platform

android-x64-20240611.1-en

Max time kernel

172s

Max time network

187s

Command Line

cn.x181791.app

Signatures

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

cn.x181791.app

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 gate.upin158.com udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.212.232:443 ssl.google-analytics.com tcp
CN 39.100.76.72:80 gate.upin158.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
US 1.1.1.1:53 www.181791.cn udp
US 104.166.71.72:80 www.181791.cn tcp
US 104.166.71.72:80 www.181791.cn tcp
US 1.1.1.1:53 push.zhanzhang.baidu.com udp
CN 39.156.68.163:80 push.zhanzhang.baidu.com tcp
US 142.4.127.251:13769 tcp
CN 39.156.68.163:80 push.zhanzhang.baidu.com tcp
US 1.1.1.1:53 hm.baidu.com udp
US 1.1.1.1:53 sstatic1.histats.com udp
CN 183.240.98.228:443 hm.baidu.com tcp
CN 183.240.98.228:443 hm.baidu.com tcp
CN 183.240.98.228:443 hm.baidu.com tcp
CA 149.56.240.130:80 sstatic1.histats.com tcp
CA 149.56.240.130:80 sstatic1.histats.com tcp
CN 183.240.98.228:443 hm.baidu.com tcp
US 1.1.1.1:53 383guanggao.oss-cn-shenzhen.aliyuncs.com udp
CN 120.78.115.86:443 383guanggao.oss-cn-shenzhen.aliyuncs.com tcp
CN 120.78.115.86:443 383guanggao.oss-cn-shenzhen.aliyuncs.com tcp
US 1.1.1.1:53 cooann.top udp
US 1.1.1.1:53 xajofr528.top udp
US 1.1.1.1:53 m1170.top udp
US 1.1.1.1:53 jt.112248.vip udp
US 1.1.1.1:53 vnsguanggaotu.oss-cn-hangzhou.aliyuncs.com udp
US 1.1.1.1:53 383tu.oss-cn-hangzhou.aliyuncs.com udp
CN 47.110.178.60:443 vnsguanggaotu.oss-cn-hangzhou.aliyuncs.com tcp
US 1.1.1.1:53 cdn.sekio.top udp
CN 47.110.178.111:443 383tu.oss-cn-hangzhou.aliyuncs.com tcp
US 1.1.1.1:53 uu11661.com udp
US 1.1.1.1:53 m6690.top udp
CN 111.123.250.91:443 cdn.sekio.top tcp
CN 47.110.178.60:443 vnsguanggaotu.oss-cn-hangzhou.aliyuncs.com tcp
CN 47.110.178.111:443 383tu.oss-cn-hangzhou.aliyuncs.com tcp
US 107.148.40.66:443 cooann.top tcp
US 1.1.1.1:53 www.60woku.top udp
CN 111.123.250.91:443 cdn.sekio.top tcp
US 156.251.244.226:443 jt.112248.vip tcp
US 1.1.1.1:53 uu22112.com udp
US 156.251.244.226:443 jt.112248.vip tcp
DE 142.132.201.10:443 uu22112.com tcp
US 1.1.1.1:53 s2.loli.net udp
US 1.1.1.1:53 999bbb333www.com udp
US 104.26.0.190:443 s2.loli.net tcp
US 104.26.0.190:443 s2.loli.net tcp
DE 142.132.201.10:443 uu22112.com tcp
US 1.1.1.1:53 uu11001.com udp
DE 142.132.201.10:443 uu11001.com tcp
US 1.1.1.1:53 migo011.top udp
US 107.148.40.200:443 m6690.top tcp
US 107.148.40.144:443 uu11661.com tcp
US 1.1.1.1:53 www.692881.com udp
DE 142.132.201.10:443 migo011.top tcp
US 1.1.1.1:53 imgoss909.top udp
US 1.1.1.1:53 imgoss1380.top udp
KR 43.202.168.202:443 www.692881.com tcp
US 107.148.40.144:443 uu11661.com tcp
US 107.148.40.200:443 m6690.top tcp
KR 43.202.168.202:443 www.692881.com tcp
US 1.1.1.1:53 blog.izxblog.com udp
DE 142.132.201.10:443 imgoss1380.top tcp
US 172.67.135.146:443 blog.izxblog.com tcp
US 1.1.1.1:53 mito03.top udp
DE 142.132.201.10:443 mito03.top tcp
DE 142.132.201.10:443 mito03.top tcp
KR 43.202.168.202:443 www.692881.com tcp
US 1.1.1.1:53 js.maifcw.com udp
KR 43.202.168.202:443 www.692881.com tcp
US 1.1.1.1:53 225image.vip udp
US 1.1.1.1:53 165image.com udp
DE 142.132.201.10:443 mito03.top tcp
DE 142.132.201.10:443 mito03.top tcp
CN 36.151.195.4:3188 165image.com tcp
CN 36.151.195.4:3188 165image.com tcp
US 1.1.1.1:53 imgsrc.baidu.com udp
US 104.160.179.231:443 999bbb333www.com tcp
US 104.193.88.109:443 imgsrc.baidu.com tcp
US 1.1.1.1:53 mrtoss03.com udp
US 104.160.179.231:443 999bbb333www.com tcp
US 1.1.1.1:53 lion.imgoss222.top udp
DE 142.132.201.10:443 mrtoss03.com tcp
DE 142.132.201.10:443 mrtoss03.com tcp
US 104.193.88.109:443 imgsrc.baidu.com tcp
CN 116.153.39.128:443 js.maifcw.com tcp
US 107.148.40.27:443 lion.imgoss222.top tcp
CN 116.153.39.128:443 js.maifcw.com tcp
CN 36.151.195.3:3188 165image.com tcp
US 1.1.1.1:53 uu11221.com udp
CN 36.151.195.3:3188 165image.com tcp
US 1.1.1.1:53 ky308gg.oss-cn-beijing.aliyuncs.com udp
CN 39.97.203.71:443 ky308gg.oss-cn-beijing.aliyuncs.com tcp
US 107.148.40.201:443 uu11221.com tcp
CN 39.97.203.71:443 ky308gg.oss-cn-beijing.aliyuncs.com tcp
US 107.148.40.201:443 uu11221.com tcp
US 1.1.1.1:53 uuuutp.com udp
GB 142.250.200.46:443 tcp
GB 142.250.179.226:443 tcp
US 137.175.18.2:443 uuuutp.com tcp
US 1.1.1.1:53 595image.vip udp
US 1.1.1.1:53 pj98co.oss-cn-hongkong.aliyuncs.com udp
HK 47.79.64.155:443 pj98co.oss-cn-hongkong.aliyuncs.com tcp
HK 47.79.64.155:443 pj98co.oss-cn-hongkong.aliyuncs.com tcp
CN 36.151.195.3:3188 595image.vip tcp
CN 36.151.195.3:3188 595image.vip tcp
US 1.1.1.1:53 taiwtp1.com udp
TW 220.128.218.220:443 taiwtp1.com tcp
TW 220.128.218.220:443 taiwtp1.com tcp
US 1.1.1.1:53 www.imageoss.com udp
US 104.21.55.185:443 www.imageoss.com tcp
US 1.1.1.1:53 ig72.com udp
US 23.158.216.138:443 ig72.com tcp
VG 216.180.236.138:443 ig72.com tcp
US 23.158.216.138:443 ig72.com tcp
VG 216.180.236.138:443 ig72.com tcp
US 1.1.1.1:53 www.upr377.com udp
US 1.1.1.1:53 www.upr377.com udp
US 1.1.1.1:53 www.upr377.com udp
US 1.1.1.1:53 www.upr377.com udp
CA 149.56.240.130:443 sstatic1.histats.com tcp
US 1.1.1.1:53 www.rap194.top udp
KR 43.202.168.202:443 www.rap194.top tcp
KR 43.202.168.202:443 www.rap194.top tcp
US 1.1.1.1:53 mmo3188.top udp
DE 142.132.201.10:443 mmo3188.top tcp
US 1.1.1.1:53 165image.vip udp
CN 36.151.195.4:3188 165image.vip tcp
CN 36.151.195.4:3188 165image.vip tcp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 tcp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 uu11001.com udp
US 1.1.1.1:53 vnsguanggaotu.oss-cn-hangzhou.aliyuncs.com udp
US 1.1.1.1:53 sta2.imgclh.com udp
US 1.1.1.1:53 www.58phat.top udp
US 1.1.1.1:53 888bbb777www.com udp
DE 142.132.201.10:443 uu11001.com tcp
US 1.1.1.1:53 uu11661.com udp
US 1.1.1.1:53 nxxzyimg.com udp
US 172.67.197.136:443 sta2.imgclh.com tcp
US 107.148.40.144:443 uu11661.com tcp
US 1.1.1.1:53 raphlx637.top udp
DE 142.132.201.10:443 uu11001.com tcp
US 137.175.18.2:443 uuuutp.com tcp
US 107.148.40.200:443 raphlx637.top tcp
US 104.160.179.228:443 888bbb777www.com tcp
DE 142.132.201.10:443 uu11001.com tcp
CN 183.240.98.228:443 hm.baidu.com tcp
CN 183.240.98.228:443 hm.baidu.com tcp
DE 142.132.201.10:443 uu11001.com tcp
US 104.160.179.228:443 888bbb777www.com tcp
US 107.148.40.144:443 uu11661.com tcp
US 137.175.18.2:443 uuuutp.com tcp
US 107.148.40.200:443 raphlx637.top tcp
DE 142.132.201.10:443 uu11001.com tcp
US 208.64.219.52:443 nxxzyimg.com tcp
US 208.64.219.52:443 nxxzyimg.com tcp
KR 43.202.168.202:443 www.58phat.top tcp
KR 43.202.168.202:443 www.58phat.top tcp
US 107.148.40.200:443 raphlx637.top tcp
US 107.148.40.200:443 raphlx637.top tcp
US 1.1.1.1:53 imgsrc.baidu.com udp
US 104.193.88.109:443 imgsrc.baidu.com tcp
US 104.193.88.109:443 imgsrc.baidu.com tcp
CN 47.110.178.60:443 vnsguanggaotu.oss-cn-hangzhou.aliyuncs.com tcp
CN 219.153.187.135:443 cdn.sekio.top tcp
CN 219.153.187.135:443 cdn.sekio.top tcp
CN 180.101.212.103:80 push.zhanzhang.baidu.com tcp
CN 180.101.212.103:80 push.zhanzhang.baidu.com tcp
CN 14.215.183.79:443 hm.baidu.com tcp
CN 14.215.183.79:443 hm.baidu.com tcp
CN 14.215.183.79:443 hm.baidu.com tcp
CN 14.215.183.79:443 hm.baidu.com tcp
CN 36.151.195.4:3188 165image.vip tcp
CN 36.151.195.4:3188 165image.vip tcp
CN 36.151.195.4:3188 165image.vip tcp
CN 36.151.195.4:3188 165image.vip tcp
CN 221.229.162.62:443 js.maifcw.com tcp
CN 221.229.162.62:443 js.maifcw.com tcp
CN 36.151.195.3:3188 165image.vip tcp
CN 36.151.195.3:3188 165image.vip tcp
CN 36.151.195.3:3188 165image.vip tcp
CN 36.151.195.3:3188 165image.vip tcp

Files

N/A