Malware Analysis Report

2024-09-09 17:10

Sample ID 240613-2g86qsxapp
Target a6e97ad68abe9022198ec6c3dcb3d665_JaffaCakes118
SHA256 759621ee3f156ceadbb4b7fcba777947bcdf446f52b6a8884ba65a65e1e6772d
Tags
banker discovery impact persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

759621ee3f156ceadbb4b7fcba777947bcdf446f52b6a8884ba65a65e1e6772d

Threat Level: Shows suspicious behavior

The file a6e97ad68abe9022198ec6c3dcb3d665_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

banker discovery impact persistence

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Queries information about active data network

Queries information about the current Wi-Fi connection

Queries the mobile country code (MCC)

Requests dangerous framework permissions

Registers a broadcast receiver at runtime (usually for listening for system events)

Uses Crypto APIs (Might try to encrypt user data)

Checks memory information

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-13 22:34

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to see the number being dialed during an outgoing call with the option to redirect the call to a different number or abort the call altogether. android.permission.PROCESS_OUTGOING_CALLS N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 22:34

Reported

2024-06-13 22:37

Platform

android-x86-arm-20240611.1-en

Max time kernel

5s

Max time network

151s

Command Line

cmccwm.mobilemusic

Signatures

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

cmccwm.mobilemusic

Network

Country Destination Domain Proto
GB 172.217.169.74:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 miguyy.lingxicloud.com udp
CN 120.197.234.165:80 tcp
US 1.1.1.1:53 da.mmarket.com udp
CN 120.232.188.83:80 da.mmarket.com tcp
CN 120.197.234.165:80 tcp
CN 120.232.188.83:80 da.mmarket.com tcp
GB 142.250.187.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.212.238:443 android.apis.google.com tcp
CN 120.197.234.165:80 tcp
CN 120.197.234.165:80 tcp
CN 120.197.234.165:80 tcp
CN 120.197.234.165:80 tcp
CN 120.197.234.165:80 tcp
CN 120.197.234.165:80 tcp
CN 120.197.234.165:80 tcp
CN 120.197.234.165:80 tcp
CN 120.197.234.165:80 tcp
CN 120.197.234.165:80 tcp
CN 120.197.234.165:80 tcp
CN 120.197.234.165:80 tcp
CN 120.197.234.165:80 tcp

Files

/data/data/cmccwm.mobilemusic/files/evnlxd0

MD5 3791ad0bb79a4c21bbd1caca57adb567
SHA1 1a75de98c3d7b86bbe9ffba081b9a06e3ab20081
SHA256 735ae1957c058985712dd1ea519a867f42570ac637712ba347e5dbd19955d770
SHA512 2cbe753b6ee00353e72fbe06c11128ee283489ac6196d583ccc5f66fd9f7aaf1bf356e73e8989ee75ce1168a5ba12509a0e76d2c6648c89765fde15458d66880

/data/data/cmccwm.mobilemusic/databases/mobile_music-journal

MD5 bca5ae968314e4641ea6aea3d462ea4c
SHA1 ec0da0ac32c8db7d0935343331e767a730f75e22
SHA256 2a6992702ad5fb720de09fb65d11f27579db5342a85e27a627382fd952d9ed8f
SHA512 c922bab44b97ed483b66f09764f2dc2c4295ba67c693d84f8f92c5c55dac38b4a9e6a73f90fb09be9ff9d4bdf2f75fad53921603f7f9f196b1f687668b29528b

/data/data/cmccwm.mobilemusic/databases/mobile_music

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/cmccwm.mobilemusic/databases/mobile_music-shm

MD5 cf845a781c107ec1346e849c9dd1b7e8
SHA1 b44ccc7f7d519352422e59ee8b0bdbac881768a7
SHA256 18619b678a5c207a971a0aa931604f48162e307c57ecdec450d5f095fe9f32c7
SHA512 4802861ea06dc7fb85229a3c8f04e707a084f1ba516510c6f269821b33c8ee4ebf495258fe5bee4850668a5aac1a45f0edf51580da13b7ee160a29d067c67612

/data/data/cmccwm.mobilemusic/databases/mobile_music-wal

MD5 2c3b56e4e2e2467125888c1b7e8c8963
SHA1 e8871a410ab167f44ce43295fd96ebdcd91d1d0a
SHA256 cb5b41ef2d3fd393912b0ac164f046f2ef599d94dc4ac0c6c3521f1fcdc49a61
SHA512 4bdadd8caf9bb418223ddaf6f9e2500e3cecef28aa1f67d8535ba1916bb3803d7771530da209abe865294d490063be42487e7802996bb4d2c5d645f4051d572a

/data/data/cmccwm.mobilemusic/databases/singer.db

MD5 64b3fa2cfd3ebf6b2c554d23e9df39ec
SHA1 c25a3f5f00bbe41f3c26a9cc0b0221da7aca3600
SHA256 75b3879f3f18af5e8d61715eaa01ec8d41dd4af6067f751a77421e13532aa6f0
SHA512 eb9abaf6fdf8f86c95348cde23e7c29c5b784b6e0cf39c063d091b428cd87250dc0f1b032ee2a44ff075559a06c8c8d927ebeecd6018275389205c9593374019