Malware Analysis Report

2024-09-09 16:16

Sample ID 240612-vcmnlssbnc
Target a166656b5f25671dae0c50cf5a87b791_JaffaCakes118
SHA256 91051ec5bf22ffa774dbb90a55134fe1b2a060e9d6745d8ae9814546539f8a10
Tags
discovery persistence collection credential_access impact
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

91051ec5bf22ffa774dbb90a55134fe1b2a060e9d6745d8ae9814546539f8a10

Threat Level: Shows suspicious behavior

The file a166656b5f25671dae0c50cf5a87b791_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery persistence collection credential_access impact

Obtains sensitive information copied to the device clipboard

Queries the mobile country code (MCC)

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks memory information

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-12 16:50

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-12 16:50

Reported

2024-06-12 16:53

Platform

android-x86-arm-20240611.1-en

Max time kernel

179s

Max time network

131s

Command Line

net.kairosoft_Mod.android.okashi_ja

Signatures

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

net.kairosoft_Mod.android.okashi_ja

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.201.110:443 android.apis.google.com tcp

Files

/data/data/net.kairosoft_Mod.android.okashi_ja/databases/google_analytics.db-journal

MD5 1c7dc7f392e6307d57a65cb44c9fbf6c
SHA1 d75dd434cc78f3b0904f92fe7ccff753e3a4b333
SHA256 d1b328f24c2c87724db1dca6f5c10af9eb8c74828e69e17fac004fda240d39c8
SHA512 c37e3e58bc58989fbd2687851731f94cca78b64616f96a747024a4cf57e3bfc2237e161bee48655f6fe61fe706f17ce948158e5a4b950fdeb299ec448c1a2f6d

/data/data/net.kairosoft_Mod.android.okashi_ja/databases/google_analytics.db

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/net.kairosoft_Mod.android.okashi_ja/databases/google_analytics.db-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/net.kairosoft_Mod.android.okashi_ja/databases/google_analytics.db-wal

MD5 46debf6285f0f25feb8ddab02b96d875
SHA1 7304a3642967c2d60be249e81e156c42efcbaa1e
SHA256 1eb86ae5b8e4b43abb1ed31a9a8ed68a1a7884afe143a82b7fa7d9933faba89c
SHA512 6a640c2b2b6f991a1e1e8772f58db65442391028358e4aecb20b0233d5f13a61fc3d949c2dc542de7018243f6a1f2c74994628064dbc1509a8a666f3283ada72

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-12 16:50

Reported

2024-06-12 16:53

Platform

android-x64-20240611.1-en

Max time kernel

179s

Max time network

148s

Command Line

net.kairosoft_Mod.android.okashi_ja

Signatures

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

net.kairosoft_Mod.android.okashi_ja

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.179.234:443 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.169.8:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
GB 142.250.200.14:443 tcp
GB 172.217.169.66:443 tcp
GB 216.58.201.100:443 tcp
GB 216.58.201.100:443 tcp
GB 216.58.204.78:443 tcp

Files

/data/data/net.kairosoft_Mod.android.okashi_ja/databases/google_analytics.db-journal

MD5 ed2dd60e86ea5fbe4ae67c70003de11d
SHA1 0ba54493e1e5b93a136f95157f4ce04490c70359
SHA256 facc53466d216fbb64e5b17571b03f6daf8a51b04765781fcc5161e3a3b9733d
SHA512 b92d60f24627d721d485fb2f6ae1bb511dcca4a47337e6a1976c54d49deec83b870344759e12ee3e9df39702dedd7c6e6975e822557f758c54433c0b8540cd61

/data/data/net.kairosoft_Mod.android.okashi_ja/databases/google_analytics.db

MD5 477249d2efd9cce08d44b246fa4803ba
SHA1 105cd67bf850f97aeb19e0bdc9a7e659a1d2b96e
SHA256 0aa99cb5749ee0c5ceb68114cf563c4cdf1d484726056d4af6034b8882a54120
SHA512 e8795465559dec6de12c5e437a889c327a9e17907c229eb038e93fc1d006ee274d4e40f2936ca4cbb27ac3f878d9cebcf873edac645e0fd62b934066d6f9052a

/data/data/net.kairosoft_Mod.android.okashi_ja/databases/google_analytics.db-journal

MD5 78b5eb56b13cc0f92fa7a40a35b8c5a4
SHA1 e56a950b2a932c36690608cdaaf91fac54ce49f0
SHA256 6351ba5915d06abfe7fcded174e5353abdaae13b447e17d68484b7f9758d2768
SHA512 d865cebd8804891ec32d26891b796a66248516e1001440cf2e5a97a2cc2b7904c0946561ed18cfc4e03fb442b661424aa80802ae2026715419572d29675ab688

/data/data/net.kairosoft_Mod.android.okashi_ja/databases/google_analytics.db-journal

MD5 dbdb3cc56a0335d4502d819341ffe327
SHA1 4411506bbca75ad77977380b861cfbb190122690
SHA256 f007e90267c4bde30fabfdd9f8761913a4956831e2b96567f3103e02421ea161
SHA512 86bacaf0fb0fcb106e2c06563939a8e48eb58b4b4f55295b04c0c75c8e7400c49854c9a85433cb2443d2ad36f6ddd9df00cbb11301c52b3b25e2d4b5c7b871e6

/data/data/net.kairosoft_Mod.android.okashi_ja/databases/google_analytics.db-journal

MD5 06a527f5625890e21104a35645ece717
SHA1 8f2a6ee09bc36abcd567bd8f58a1cff7d74c09db
SHA256 704f2018836d27a7bf5a56548438bcb7a954e5311e436f520d690b47ee42401d
SHA512 eaf7c53d9597d930b8bc33777a698242ac106455264d6b253087cb270f1625aeea8426c2f0ddb4780aa7ac1c99daca015c98b0006e6ece583a849f0c88cc1cad

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-12 16:50

Reported

2024-06-12 16:53

Platform

android-x64-arm64-20240611.1-en

Max time kernel

179s

Max time network

133s

Command Line

net.kairosoft_Mod.android.okashi_ja

Signatures

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

net.kairosoft_Mod.android.okashi_ja

Network

Country Destination Domain Proto
GB 142.250.187.206:443 tcp
GB 142.250.187.206:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.16.232:443 ssl.google-analytics.com tcp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 tcp

Files

/data/user/0/net.kairosoft_Mod.android.okashi_ja/databases/google_analytics.db-journal

MD5 0a1b6fdf7c61e9642ae8b90ec04e9aa2
SHA1 283088ba3efe86b041b1b712107f56723c33aa66
SHA256 01b75697ffb3dbb2b13f7d80014032183dee2210468479be0dbe12164638c2ca
SHA512 26a83eaee8e6783e817b3e13d3819d463c84229fa776cf28d11183f27c266c74ad195a908a36f5aa14b8f1aa5d8ad63c17e88b8a0c69da7d1cd2efda26685358

/data/user/0/net.kairosoft_Mod.android.okashi_ja/databases/google_analytics.db

MD5 fb95726e159a17669d542c1650ebbb16
SHA1 aba4805f177ab73c2d1fde0ddd3f61f7a8685109
SHA256 6833ff4b8c3d2e1140400a5638bab7941ecbaab2948723c3625013b4a0761443
SHA512 aead3166ccb9fd7dc9900884837b7c7aacd499b04eed4dd7ee3fbaa9d0e5cb25703c8c2267d537e9202dc84a937b2ad283601ef7b2d924273110c8a0824334d7

/data/user/0/net.kairosoft_Mod.android.okashi_ja/databases/google_analytics.db-journal

MD5 b138c01fac41b177dd01d1f958202805
SHA1 52b244a6937c6eb62ff25b206a6629965a311116
SHA256 6e8b21210c3b4d54f767c3b9f872cad16eaa79143355cbc0e438b7f6e58af69d
SHA512 0aa7069bc04b49ebdaee57990d570c1cb02c7c9ba3aa83a158d2bb9d62fae2272e2e1723d2f88acf24e947ee479d7f9a2ec57fb18e39c8bac4a6108731a7cd47

/data/user/0/net.kairosoft_Mod.android.okashi_ja/databases/google_analytics.db-journal

MD5 dcc6009eb62a35b542ef998543af10c5
SHA1 aba6312db1f2b47f557f83c7aec236b3995cd5c8
SHA256 80e4cf9568a6d4a2d4b3b77b3d0d8a8b113041fcb150c5e18f9d073beb06665f
SHA512 f7bbc4e3c4a5b18fa69ecf66b3d471fe7518d1cd866b41595a1f0ce67f5cae57967011fc825444821f4dea77c4c54e6e63cdc4696f94fe57dfd31d37d14d843d

/data/user/0/net.kairosoft_Mod.android.okashi_ja/databases/google_analytics.db-journal

MD5 8f59d37bad872314193484e7ab5d4227
SHA1 d06721d578d517b13bd9e1cd1d68c1acd9ed5c91
SHA256 fed5b558c3dfd96d6df8586bdec7114bad7d5fc91ae406ef6649f1206b5eb2d7
SHA512 ab62f3a9745968d2c835da4b2704161f3221f16a97cf41bb63cd50ad8e2bb345a482c686f6a00227c56d2b8385a3b216cc2209f9fc07d89720233b33ff0cfb55