Malware Analysis Report

2024-09-09 13:00

Sample ID 240613-2s976stfjb
Target a6fa730887d390c8d1cc491426255540_JaffaCakes118
SHA256 dc02e94bc4e00c7b69212568007a2427f54e3d36ffb9c1c20bcb3ac928c5bd60
Tags
banker collection discovery evasion persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

dc02e94bc4e00c7b69212568007a2427f54e3d36ffb9c1c20bcb3ac928c5bd60

Threat Level: Likely malicious

The file a6fa730887d390c8d1cc491426255540_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

banker collection discovery evasion persistence

Checks if the Android device is rooted.

Reads the content of photos stored on the user's device.

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Queries information about the current Wi-Fi connection

Requests dangerous framework permissions

Makes use of the framework's foreground persistence service

Queries information about active data network

Reads information about phone network operator.

Registers a broadcast receiver at runtime (usually for listening for system events)

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-13 22:51

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to monitor incoming MMS messages. android.permission.RECEIVE_MMS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 22:51

Reported

2024-06-13 22:55

Platform

android-x86-arm-20240611.1-en

Max time kernel

125s

Max time network

177s

Command Line

com.cmcm.transfer

Signatures

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /system/xbin/su N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Reads the content of photos stored on the user's device.

collection
Description Indicator Process Target
URI accessed for read content://media/external/images/media N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Processes

com.cmcm.transfer

sh

/system/bin/app_process /data/app com.ijinshan.ShouJiKongService.daemon.Daemon 4246 com.cmcm.transfer /data/app/com.cmcm.transfer--1KI4XxgDdyb7SDWqnlHZA==/base.apk version=1.5.0.323 vd=1500323

mount

mount

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 helptransfer1.ksmobile.com udp
US 1.1.1.1:53 cmtransfer.cmcm.com udp
US 1.1.1.1:53 helptransfer1.ksmobile.com udp
GB 216.58.212.238:443 tcp
US 1.1.1.1:53 cmtransfer.cmcm.com udp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
US 1.1.1.1:53 helptransfer0.ksmobile.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
US 1.1.1.1:53 cmtransfer.cmcm.com udp
US 1.1.1.1:53 dl.ijinshan.com udp
CN 180.163.207.108:80 dl.ijinshan.com tcp
CN 61.170.79.234:80 dl.ijinshan.com tcp
US 1.1.1.1:53 helptransfer1.ksmobile.com udp
CN 180.163.207.109:80 dl.ijinshan.com tcp
CN 61.170.79.235:80 dl.ijinshan.com tcp

Files

/data/data/com.cmcm.transfer/files/kfmt.dat

MD5 8178444e82c8b22a5ba89cb60d6a8679
SHA1 db107ce1afc5d4a942002b358489ee0312f4e015
SHA256 20661231b11d2acd75cdba9d3449104172c5f03651606caff1d4a6cd3029852a
SHA512 649116177b835a20b9404798281b874176280efead4550ecf816d820e910ff87792d7b2cd61afebb79e1cb23a2cf68cdb06d7cbef103099c46267197e1d38f61

/data/data/com.cmcm.transfer/files/kctrl.dat

MD5 be06bbd5ff4ebd90eadb38cf2a719f5a
SHA1 39b88d80a190872336518de9aa5718242dfaf316
SHA256 2cb54ff4152dbd8986fb2b9dd5de4004ad73df2e6deaa5cce07c953f17ac5b05
SHA512 61eb1a350b638f65666c11afbd19d9abe9512e8ac11039a2e568b42b30417160bc61dbf67154706b3b88ca9ae44554506e956cd64ba519776b06e911feb98187

/storage/emulated/0/Android/data/com.cmcm.transfer/files/sjk_cfg

MD5 d3af517c16b9932e30a38bbc18f9bfe0
SHA1 ffb841d506a70728d76a0fb9b53a6b3f1a186eee
SHA256 ca36030b47e198639220acd5f3216e7fb48d1058543ec80fded89ef26815a23c
SHA512 4459b4cd0b8b1bc1ee7e3b1f17ff60bfd6d37d3a05ea752c281f6ef46fd86785590b4f2c2992cf642fd987d537fbfe6c2a49ca0d755ddb6db1ee09395c10c11b

/storage/emulated/0/kingdid

MD5 fc0fc0121a8c8e47a4a26fbe98ade8c4
SHA1 38d823249d5159bcd9f1aff992f4e00abc296467
SHA256 14d9b5815df6eaf5a951f1095ad119f7b1896dcb714654a10295f7ddd5a865ff
SHA512 9d6e342bec713a4e4098d3ddb31d9830c40a91dc216b9b1ab15b8b8597e985b71fe10b790f80166bec9a0b677e6e4d7bba64f792b64449e3a103f627117baf3b

/storage/emulated/0/Android/data/com.cmcm.transfer/cache/ThumbCache/journal.tmp

MD5 8c92de9ce46d41a22f3b20f77404cc1d
SHA1 8671a6dca00edb72be47363a7071be65cf270373
SHA256 68bb33ddeed9200be85a71f70b377985f9ee68e91578afbde8321463396f1274
SHA512 30f45fe9954215d6adafcc8f0a060a7ff41963a64f9b849a37f0d18fe045038d429ec13bf15226769c4ba78dad3c52f3d9e0dbbb4fcdea4828a1efe956e48f56

/data/data/com.cmcm.transfer/databases/album_classify.db-journal

MD5 a7e6db909c381ebe4112b87a7e61da92
SHA1 8c455035a21e48b8133b28ab6a515afcf15f53ae
SHA256 b0d6a9146f969607c1b551a270ab711f9db1386af37683f225517f5045c682b6
SHA512 78a2a983846155ffdc3ff007bced2e78de663bfd886780c23e6a11be7d67949fb1cacf739632f8d68d0ab55414c563b477792d317b75a79a89682bb7c3ceac88

/data/data/com.cmcm.transfer/databases/album_classify.db

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.cmcm.transfer/databases/album_classify.db-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.cmcm.transfer/databases/album_classify.db-wal

MD5 0b71bb81aac61fc32f6ab1b46bda7e07
SHA1 f97d35c096b0fcec0a1c49ba76ba6efc70d607ba
SHA256 eb639a78efd91964c8b8aae3bf1c6ead60ebe705d19c24df09e7d849f9da4ef3
SHA512 a910f9fd49a5318cc6654f74994733d29ddf508b62940edb288528b2df98e6c64682c77aa781339ae522090b89cd1c841d87521143e38b949f601f93eb3ecccd

/storage/emulated/0/cmTransfer/app_thumb/com_cmcm_transfer.png

MD5 335ce03f6dac1a6c1b7f3778bc25da6c
SHA1 10574436363392c63e56278c10377af031b76e49
SHA256 555813770ee5df75fcf95d89a72b2eea8047895b1e2b8b4b6e472dbc023dcaca
SHA512 b7aebed77e87802a8703f7d9a76943f062d5e07fa8a508a000ec1122ea39fedb95c8129ecf68826bfa627f585a6b6e82962a4400eea51a0d564afadf6fe68702

/storage/emulated/0/cmTransfer/app_thumb/com_google_android_syncadapters_contacts.png

MD5 182704d186ca423b37c8c9f6d01614c7
SHA1 e01f4364232e3c667729561e06b9f6da0a06f183
SHA256 6eb0e4f06ac588562cd3b448c37b3f1925f22c765aeb3a4cccb48cb163d7a64c
SHA512 e2717f5f9392a3bd14891af3a7718cb0d5f29bbdb41aa0c4991e4eea1335a506e2f9a8651c0d72b0b35a250f94f592fcd755b5da2a44d08474633e85be7c7d41

/storage/emulated/0/cmTransfer/app_thumb/com_google_android_gms.png

MD5 6b5c9f04923d1e0e91fa38342631c410
SHA1 1aee3d3c1b15544d073e029648d444d1bca9ebd0
SHA256 07c65208d4a32249b5d20c5fa4f2554307b11fe3f412b403973ede3e2e6e43e1
SHA512 35b310bfa01f286fa25dc878893cf3d4b91844092ef415a65c33942d34107afbf9ced297cf6b28d0f375de8a29c024e9ea3c76e0186182bf61ecbdbf493cede6

/data/data/com.cmcm.transfer/databases/video_audio_classify.db-journal

MD5 593f0f8cbd039edc565507cbde0849b3
SHA1 79798ad328f465bb61e4fed6b1199540ea6c9435
SHA256 242e1d344a1a8d3e8bc40842df6b7a3df02ee71b70e7ed92587d0af6cecdc579
SHA512 46b178e941d49d44366b5bead954be6018027c63250abb56841137157a495d298d10bf7130149dd4212c36c9f65b58a1b38207ff6a61e4b77b2eb6b131b714fe

/data/data/com.cmcm.transfer/databases/video_audio_classify.db-wal

MD5 a81f74bd4d4ee124c7f1db3ada174d61
SHA1 49b5007d8899cb287438062e6815e5e2f8a7fcb0
SHA256 658ddca2151df2276328e59a06ae39c5188fb1bcc17386c138cfc5b3d3a660c8
SHA512 c62cb45975e936a67af52bc47bf4b760d4c55a46aed8a7720ccfe140817b5e561ca7da4a705b106abdca53de1270d0b4bebe56ab5d9c8fb3806a77fb3b9cc13a

/data/data/com.cmcm.transfer/files/infoc/transfer_hit_packagename_1718319128579.ich

MD5 50fe10fc94631ee6958a4e1aae4d4537
SHA1 11803321e2cb66755633940f59abfd8fc4826851
SHA256 582991cedcb445f1bae17b8a7faea5573036c12964d87caa5b36100a1aa395ee
SHA512 5b18428a885c58250759421c2c03f36cd03c238e23a4a6043ac9c2e4336a6e8703f495b64070484f9c7ef146aad8b50949389d2f9b40a6273fb76c4d78aca55c

/data/data/com.cmcm.transfer/files/infoc/transfer_hit_packagename_1718319128595.ich

MD5 bb33f3f01cf69e7d7d1e125ca8aadcb2
SHA1 f6c69a1053c4cf122c289b1bcd361ba12da4dcfe
SHA256 7bfeaa008887ee41a25f600c12907da21ee56ed1ca7a4f49e9b5a2d0ed3ac777
SHA512 e79b0c9b1171795c7ad2346479c8337bf0ad8cc28052c1e63e2e96eb4b81529a6a735f22afd5e1822c53730726844aa0b6de147b5a24a88e823ab4eee750973b

/data/data/com.cmcm.transfer/files/infoc/transfer_hit_packagename_1718319128612.ich

MD5 ecd66833813937876d959c6452e648a7
SHA1 512239577d7df4efceba8a0a41ce96b685fee19c
SHA256 34ea241577b4c7141fb83c86e612889a1e67b435aa1935b8a38b21c36662e505
SHA512 3d5246ad3dd874032dfa7c3ef6a8417e55c097745e1d1c135c2895c0ec13a9e889f25e97fb12cdeb637989d94583c51b923981f210a04464f4fbc08bf319a1d8

/data/data/com.cmcm.transfer/files/infoc_force/transfer_homepage_1718319146220.ich

MD5 17d872fde4ebc2bddea15a019edc9406
SHA1 4a6f8f71296d887aad7de86a1f4b97abe051134e
SHA256 4a1f75c329d3c7fa7de2ac92cb45e663fd7e9190abb83281c011f62f22abbe44
SHA512 fbbd05c797b1ddb91a150a5122d7ffecf8a2981605bf1c8933cb6e2a37a7e2e5a9adfcb800ff1b6b5fe629644a3df84fedbd5056af32a459ceb933c1b44166a7

/data/data/com.cmcm.transfer/files/infoc_force/transfer_main_1718319147455.ich

MD5 4c5e9d24744bdbaa79ce58f5b93549fe
SHA1 0ec89ad499dcdbdd39dc949207295acb69fa46e4
SHA256 09611f17d67397d4fcc8c6e4ac89863b3f6c4b4f1572fd0e370a9bb3a8aaa4d3
SHA512 c8a05600710d6951afbf96205eceab576fb02a6c40309b811d84f47372f99c31a0d3f6fc821846ed8ee354420d27002cc2cb4ac6a9edbc820459cf99e239f7b3

/data/data/com.cmcm.transfer/files/infoc_force/transfer_active_1718319149046.ich

MD5 413d658ec8d5dc993ccd4f6671518f5d
SHA1 58484edacd515ff4158fba7d13769b2ca759865f
SHA256 2a98274db1290123e2c28eb59c93d19bc205c710c41be583e788534f90f6feb5
SHA512 59812c964b825f9613502780fc9bf9adf46203dec3b8a1518fd3f3dee75cce80d6dfc60c6c6f6bdee186e2232355f2add7034cb95c4b7f83acb3841a5883a00c