Malware Analysis Report

2024-09-09 16:38

Sample ID 240612-tehxrsvcjq
Target a13d7704a8909eb170d61db739aa3a55_JaffaCakes118
SHA256 b8aae2973f26973dc5883edfd0af5900923cb64e7d2025fd1333a739366214bd
Tags
collection discovery evasion impact persistence credential_access
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

b8aae2973f26973dc5883edfd0af5900923cb64e7d2025fd1333a739366214bd

Threat Level: Shows suspicious behavior

The file a13d7704a8909eb170d61db739aa3a55_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

collection discovery evasion impact persistence credential_access

Queries account information for other applications stored on the device

Obtains sensitive information copied to the device clipboard

Queries information about active data network

Queries the mobile country code (MCC)

Requests dangerous framework permissions

Listens for changes in the sensor environment (might be used to detect emulation)

Uses Crypto APIs (Might try to encrypt user data)

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks CPU information

Checks memory information

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-12 15:58

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to read the user's calendar data. android.permission.READ_CALENDAR N/A N/A
Allows an application to write the user's calendar data. android.permission.WRITE_CALENDAR N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-12 15:58

Reported

2024-06-12 16:01

Platform

android-x86-arm-20240611.1-en

Max time kernel

152s

Max time network

159s

Command Line

andy.xml

Signatures

Queries account information for other applications stored on the device

collection
Description Indicator Process Target
Framework service call android.accounts.IAccountManager.getAccounts N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Listens for changes in the sensor environment (might be used to detect emulation)

evasion
Description Indicator Process Target
Framework API call android.hardware.SensorManager.registerListener N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

andy.xml

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 www.andyforandroid.com udp
GB 142.250.180.14:80 www.google-analytics.com tcp
GB 142.250.187.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp

Files

/data/data/andy.xml/databases/google_analytics.db-journal

MD5 82d5ef1b1172cadce9f4d1b72524ccd6
SHA1 1939b7f9c274bbe15509db807fdf84522cd830ca
SHA256 71b98ff2e80d6f78ca45c8e055e5d74f78d02a5a42fa56b6e01068dc8122adb6
SHA512 aba2e5b4fbd63876d6e847620798fd39758d55b163ae78a4c1b59cdb62282f6be87a0346909931f55758d1af35f03cf6a76b4165e45502155a78dabc66b1f684

/data/data/andy.xml/databases/google_analytics.db

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/andy.xml/databases/google_analytics.db-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/andy.xml/databases/google_analytics.db-wal

MD5 f3e0245927496793d6fef817e1b58e01
SHA1 fd014f6c44ca3ec68cea7410d5a445c92b1351e1
SHA256 09d297181e51c54d4d1de6aa0f8074bd84444ddf4a170821d53564ae63b83bef
SHA512 b42fff42005d024004087d4f19d6823d1270530b579d368df0c00433737a65dc88601a5216b56776ea96f18f0ac319c46d9f6388a9ac7767384f256700be7a29

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-12 15:58

Reported

2024-06-12 16:01

Platform

android-x64-20240611.1-en

Max time kernel

48s

Max time network

147s

Command Line

andy.xml

Signatures

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries account information for other applications stored on the device

collection
Description Indicator Process Target
Framework service call android.accounts.IAccountManager.getAccounts N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Listens for changes in the sensor environment (might be used to detect emulation)

evasion
Description Indicator Process Target
Framework API call android.hardware.SensorManager.registerListener N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

andy.xml

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.179.234:443 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.169.8:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 www.andyforandroid.com udp
GB 142.250.187.206:80 www.google-analytics.com tcp
GB 142.250.179.234:443 semanticlocation-pa.googleapis.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
GB 142.250.200.14:443 tcp
GB 172.217.169.66:443 tcp
GB 216.58.204.78:443 tcp
GB 216.58.201.100:443 tcp
GB 216.58.201.100:443 tcp

Files

/data/data/andy.xml/databases/google_analytics.db-journal

MD5 3a17025ccef7d1517f8e83b112ed6953
SHA1 43a7a52783cd8bbcc0da6f683c291796df2bb238
SHA256 530aa74d44fc789653437b2ed5fb05ff912087c9fb0d2d3a6071ef1567da2d62
SHA512 c109c979ff1471d5fa73a67796225ef08950478cd58228a31073f80924004bb37affbaeb37c0ef3522191352a4f51487faf008154e1870cff3b46e4d2f5d33ba

/data/data/andy.xml/databases/google_analytics.db

MD5 a70d7b553da6c7519b2f8715007a8bcd
SHA1 71f15617291a602411051f8d1fa6ad2b105c1b39
SHA256 77c89d0fb05f1396acd5cfca4cf640ca7f9e6098679a4e41878136c4e2ee36e1
SHA512 a3e1164e16f1dd9e51e4159b7dc787a0b6ed6597bb590ad77b9cc651e6e135df446b0e23689d633f31fe04cac97a69058495cfe7e771b2ce2b9ce9d36fcd1509

/data/data/andy.xml/databases/google_analytics.db-journal

MD5 e58f0a698ffd4fc6536ae1e1be82a57e
SHA1 be84b54535e03d48aed4b932d0b57453adc8b207
SHA256 8a8b61e251d9f2c76d2cf366f909e5de2ffd21a035a08dc5251026a1ad160556
SHA512 df751b63367884a0edc20fce4c00087af4d53de03d18927e14a66a2694080c1b34100c95fae259b867853b21bfe8674a7b662fe63eae331e42534be35eda9e72

/data/data/andy.xml/databases/google_analytics.db-journal

MD5 2d835a69468419b8a638256e4ed1cb81
SHA1 efbcb4c19e1705cc462640b2548f2558beb3fe4c
SHA256 fd3c1862e012d1e50ffc07e2fbd1ebc67744f4c99ae0d2492f69dce64601eece
SHA512 828e465645e4518720880d14479537f273f213c38ef8a1418c687ff6cdc2ea97ed9862015127439f2ef25940b885b15c9aee5ef60d6a92024ee0273895a056e6

/data/data/andy.xml/databases/google_analytics.db-journal

MD5 4f3d2f8df5b0c47f98d831cd890c63f0
SHA1 5205559d730bfc2b014b833d1fbae6b5e41939f8
SHA256 dddc7f512e781090dce99fd150fd2eb55e44b95346bce6ce7742af89e43476c0
SHA512 46aa988bc73305d7128c46008018fa121f3ef4141c737517b5483af98afd05f3274dcadf1c7644d0049301f8baa45b554187b7daa26c9f6534b24b9393eaa6ff

/data/data/andy.xml/databases/google_analytics.db-journal

MD5 3e125899ba7745741d49c8b730aa33ae
SHA1 06c6ecf96365b52838f984102dcef3c956390e45
SHA256 cea9d6c533af1758fbd110cb424d3a077297e7f1e6dd4aa6fa970bd7343a7dc0
SHA512 99c242b6d89629793a153740b4d5a7b3e52a8e0cd011ab947efe03c263478fff8a049c8615e03d0d61a27c1e74d241346f78f3ef51fc4ef0ecc639688e29dcb3

/data/data/andy.xml/databases/google_analytics.db-journal

MD5 7c4d63c565d03b05e1e67562719f3373
SHA1 2dbeae97ea64dcae5f18247a56128378ec527d72
SHA256 1ff10be46fdccbc39765a50d8c3cc5afffa594df0b5aab86239072db8e7bb1ed
SHA512 fca43bafc46c3c3dbaf0dbbb7388a1aad637ec846324578d9339547b6eadbf1b4bd871c958a4eceb61ab00a3057a7c564347dc02b82ccd3012c678770e322951

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-12 15:58

Reported

2024-06-12 16:01

Platform

android-x64-arm64-20240611.1-en

Max time kernel

20s

Max time network

137s

Command Line

andy.xml

Signatures

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries account information for other applications stored on the device

collection
Description Indicator Process Target
Framework service call android.accounts.IAccountManager.getAccountsAsUser N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Listens for changes in the sensor environment (might be used to detect emulation)

evasion
Description Indicator Process Target
Framework API call android.hardware.SensorManager.registerListener N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

andy.xml

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 216.58.204.78:443 tcp
GB 216.58.204.78:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.204.78:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.187.200:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 www.andyforandroid.com udp
US 1.1.1.1:53 redirector.gvt1.com udp
GB 216.58.204.78:443 redirector.gvt1.com tcp
US 1.1.1.1:53 r3---sn-aigl6nsd.gvt1.com udp
GB 74.125.105.40:443 r3---sn-aigl6nsd.gvt1.com tcp
US 1.1.1.1:53 r5---sn-aigl6nzl.gvt1.com udp
GB 74.125.168.170:443 r5---sn-aigl6nzl.gvt1.com tcp
US 216.239.38.178:80 www.google-analytics.com tcp
US 1.1.1.1:53 r2---sn-aigl6nsd.gvt1.com udp
GB 74.125.105.39:443 r2---sn-aigl6nsd.gvt1.com tcp
US 1.1.1.1:53 r4---sn-aigl6nz7.gvt1.com udp
GB 74.125.168.105:443 r4---sn-aigl6nz7.gvt1.com tcp
US 1.1.1.1:53 r2---sn-aigl6ned.gvt1.com udp
GB 173.194.183.71:443 r2---sn-aigl6ned.gvt1.com tcp
US 1.1.1.1:53 r4---sn-aigl6nzk.gvt1.com udp
GB 74.125.175.105:443 r4---sn-aigl6nzk.gvt1.com tcp
US 1.1.1.1:53 r1---sn-aigl6nze.gvt1.com udp
GB 74.125.168.134:443 r1---sn-aigl6nze.gvt1.com tcp
US 1.1.1.1:53 r1---sn-aigl6ns6.gvt1.com udp
GB 74.125.105.6:443 r1---sn-aigl6ns6.gvt1.com tcp
US 1.1.1.1:53 r1---sn-aigl6nzs.gvt1.com udp
GB 74.125.175.70:443 r1---sn-aigl6nzs.gvt1.com tcp
GB 142.250.178.4:443 tcp
GB 142.250.178.4:443 tcp

Files

/data/user/0/andy.xml/databases/google_analytics.db-journal

MD5 d5fafaa4f7a8d0712aa186f01c4da1f2
SHA1 001e0d02b3a406258286b212080fd38db339e24f
SHA256 af4b7917c88789d0008d3c34828c7aeace81a243ed6282c0588c190b14af5ab3
SHA512 089eb07efc2c121e92d9622078916d85f6ed337426509697babb0e8d78f326909375f856a4c29473613f7089a45c00fe48752c90ac941061cc6ca02b87580d6d

/data/user/0/andy.xml/databases/google_analytics.db

MD5 d523017e93e408efa95ecce3dde30d5b
SHA1 087aebc92142e50c23d30b322392c912e8383a23
SHA256 f4b7cc41a699fc40d907d45383613e8a8894865dc1f174caed40fd60372ae9af
SHA512 8cbacaf5af053518860ab1b5af0183574cadf8f187589ac28eb9540a01692d027d29011112db4503a70c7a8b965ffc81adfbc2ee819cc01f627db8bfeae53c9e

/data/user/0/andy.xml/databases/google_analytics.db-journal

MD5 134337bb19773bd313797d5ce3117aed
SHA1 30aaa413ec613f0e1e417cb327fc973db4d570a5
SHA256 c324c853e89167b8ec83d2f7d2ba58d3295a642a45cfd8a752c3ee8fb028aff8
SHA512 def257ba3ab577475e162ece7a4b90be738c1e288a692bdbe9f61e60a4233a827f5bffa427dd1fdbb50ee867919840562994e1579c24495e3465b529c3db7f58

/data/user/0/andy.xml/databases/google_analytics.db-journal

MD5 def137b2ab0112c415728ac873ef237b
SHA1 2d68ebec01b3d09e1abc1575ccd877ac244a0e34
SHA256 a9febaa64f3724539a089678df257622c8e9bb8046bab08b3d9404f685982d8d
SHA512 1c87adaa00a18ae8ff1f09a66e09c808e28747a46d092f215c30625fc2518077072ca4273b45244678ff3243f6a5c197be2b2c2620318677f9eec7e7d2b8f699

/data/user/0/andy.xml/databases/google_analytics.db-journal

MD5 dcf8979f174a2fb1b81f57ea2965328b
SHA1 292408b47b6b12cf7728f9553d29ffe084833cd1
SHA256 3b4fc240bbd376aa9c45c4659fb4627ef1f8be9899d17d99d75ab6fb71a53d26
SHA512 6097bf4d3371167f94ba7eb47316bca525a108dc9cc50ae1220f75ab826d5e142c7ef2e928e0ee940746c2bde34ab181611ccd7f9361aa835b78f6ae6f57d9c9

/data/user/0/andy.xml/databases/google_analytics.db-journal

MD5 121e5bb6e4d29ef8d75e304edf4b778a
SHA1 95ec419a5c8c584cd82bcb4a1ff83baa67deea4e
SHA256 2cc662dadb65d5cd568a2b33d0ba4494e3a6c9af7641583d2f0e21e68b665904
SHA512 2fb1ace54a1c688aabbcd75fa8dbfc43a6e7ea4d789e89db7cb123ebd23d34019064fdb606c8ae5d5a4852ad9bd1dc085ec98f55d646e3f44f4b453afb1e5104

/data/user/0/andy.xml/databases/google_analytics.db-journal

MD5 ee69817f8fbe56470f8a6e736ffb3115
SHA1 adfd489a632ea40f1bf882096d67f060a7fbee4d
SHA256 b392f1f8b476f42d897bfc564544905588c65e6e700a1eadba1859e380ee1419
SHA512 a8290740acf0beb9d8dd0ac1d2affcea249c1c3c907395c989fa87a618c7cca83dfa4a0821c0516440576a62233af026ac5386d642ca1f9931cdae1d3cdeaa02