Malware Analysis Report

2024-09-09 13:01

Sample ID 240613-2skbratepb
Target a6f924cddb35d01871883372d0545225_JaffaCakes118
SHA256 e2f4cf12c2da182b17aae2fba3481c933ed598a2c82c93756dc23a5285a4bfd0
Tags
discovery persistence collection evasion
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

e2f4cf12c2da182b17aae2fba3481c933ed598a2c82c93756dc23a5285a4bfd0

Threat Level: Likely malicious

The file a6f924cddb35d01871883372d0545225_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

discovery persistence collection evasion

Checks if the Android device is rooted.

Requests cell location

Queries information about running processes on the device

Queries information about active data network

Queries the unique device ID (IMEI, MEID, IMSI)

Requests dangerous framework permissions

Queries information about the current Wi-Fi connection

Listens for changes in the sensor environment (might be used to detect emulation)

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks CPU information

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-13 22:50

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to collect component usage statistics. android.permission.PACKAGE_USAGE_STATS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 22:50

Reported

2024-06-13 22:54

Platform

android-x86-arm-20240611.1-en

Max time kernel

3s

Max time network

169s

Command Line

com.ikongjian.decoration

Signatures

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Processes

com.ikongjian.decoration

Network

Country Destination Domain Proto
GB 172.217.169.74:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 api.exc.mob.com udp
US 1.1.1.1:53 api.exc.mob.com udp
GB 142.250.187.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.169.74:443 tcp
GB 172.217.169.74:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
GB 172.217.16.238:443 android.apis.google.com tcp

Files

/data/data/com.ikongjian.decoration/files/Mob/domain_1

MD5 99914b932bd37a50b983c5e7c90ae93b
SHA1 bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA256 44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA512 27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 22:50

Reported

2024-06-13 22:53

Platform

android-x64-20240611.1-en

Max time kernel

5s

Max time network

180s

Command Line

com.ikongjian.decoration

Signatures

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /system/app/Superuser.apk N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Requests cell location

collection discovery evasion
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getCellLocation N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Listens for changes in the sensor environment (might be used to detect emulation)

evasion
Description Indicator Process Target
Framework API call android.hardware.SensorManager.registerListener N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Processes

com.ikongjian.decoration

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
US 1.1.1.1:53 api.exc.mob.com udp
CN 180.188.25.46:443 api.exc.mob.com tcp
US 1.1.1.1:53 plbslog.umeng.com udp
CN 36.156.202.75:443 plbslog.umeng.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.213.8:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.14:443 android.apis.google.com tcp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 tcp
GB 142.250.178.14:443 tcp
GB 216.58.201.98:443 tcp
GB 216.58.213.14:443 tcp

Files

/data/data/com.ikongjian.decoration/files/Mob/domain_1

MD5 99914b932bd37a50b983c5e7c90ae93b
SHA1 bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA256 44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA512 27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

/data/data/com.ikongjian.decoration/app_crashrecord/1004

MD5 39e1f16bf74c9e825dc13b25c9e4c0a2
SHA1 250fa0a2e7adef224213876f735dc251f0332169
SHA256 03cc242260332e7e676e29a087e4b0f7f967cd5320bd73a8df9ca3577830a63f
SHA512 3717dda27180753e1d2b4953611df578066c8c71fd7cc5f74e98658ec008b3936eea6e847eff0fa752c4e952f5d868090e9d568d109aae1d4ee6d536974d90ae

/data/data/com.ikongjian.decoration/databases/bugly_db_-journal

MD5 ce99de2b5fc97b762f219c87c53d822e
SHA1 56721dd26a7fffff6955262c701d00621e9c0fc3
SHA256 8c5f479a4bf3e997e6a363248309155d1a472944939d59c6fb1cc09676bd0082
SHA512 57947ed8653b23d875744f578051f9f8d15b7938638c97fbbebee80f367c2bf64faeef13052d04a1248986f513de945a4cc1509c55a81745ab9da473714bd3eb

/data/data/com.ikongjian.decoration/databases/bugly_db_

MD5 8d779bc351bca34ccd2d2809e41b443c
SHA1 f2d08dd7bb15bfb63759fa9a305d46e7a0ffac09
SHA256 30b89ee68ea527810da5c1afcca6e033476676d648b7133e7c372347f446d6a8
SHA512 f852654be6d55cb30192a0fbab2ae1ef18166489b95b5a8ce8913fc242e4478b98b7cd49ad8aa11b400ee2e12ddcbed5f0c1d87a22cb373f029cf5f94df2f231

/data/data/com.ikongjian.decoration/databases/bugly_db_-journal

MD5 2ea9bc1bf2a27c5e314507acdffaede5
SHA1 1ff79870bd0fc91a9f9e06c6c3eeebbd8aa398d6
SHA256 ede0bb10e4aa00e09491ae80d5b53c092dad971ac465ebedeb3b12ceed296b07
SHA512 41f714b44f8c71bab5d77f91c866587dac0931987a5188fb587dd804702fd3d24edf881802b880218dd0a6261266165b41196cc74069ba2e66d7999e0575c729

/data/data/com.ikongjian.decoration/app_crashrecord/1004

MD5 0d210bfb2a0e1f1b4c082a6a0f79de07
SHA1 bb8ed9e364db79d1d9f2fcde3f15091893222faa
SHA256 988722c23d78a46021d0e7ca9deee7aa8bb83288269174ffacb7316f381cca1d
SHA512 536e9867b0df29b15b789f8949be6ab37fcdeccb9d39ded981da7dc2052c9533d0ec0e6f9a5444132977605d372e1463d91bdde41b528ff2ca3f65ab152325c1

/data/data/com.ikongjian.decoration/databases/bugly_db_-journal

MD5 a41df95beaac51a75ea759f1bc3701bd
SHA1 fb92e3aa5efd80e787c70d27cb89645bff518f36
SHA256 f89eda93e10f36dba253008753f6bb43f1fb6936cc89ecaa23b4a441d3ec9bd4
SHA512 947996045cca5b8f95019058e29091dd8478d25948b23a60ebb8ba3b559f24e387778f178679ca7e78e071f70ee1f200356dba7264ce0682c18fff5744b8a4dc

/data/data/com.ikongjian.decoration/databases/bugly_db_-journal

MD5 bb9fffce8241776365ef3e3cc676d3a4
SHA1 ab3ceac926a4c85de6e5711b00627d4195e07b95
SHA256 d465deb6025e34e2fb0fa1db3e81bd6e916384612adec173ab4c01dcf3f1f172
SHA512 2eb94038b8b589270d1c38bf7c006caa1f133b9da2139e6ad594a4d7b9587a78d1db571d6d195340fa12394c8d7e0c22e2478b98eb97f6a7e965373468295752

/data/data/com.ikongjian.decoration/databases/bugly_db_-journal

MD5 318330f5161268c70543fc0b642d0ce4
SHA1 1513754d18006e75e77ae86c9d82fa9edce22d15
SHA256 f6e5f2856ed57bbcf979826a66c090229abb822a9d5767e5fbae1ebd94436379
SHA512 525a6dcee2b8243e35e7ac2dad676711bbb2df1c50832ab73afaaf3f62778d8c924bf848b44ec58a680fdf188166ccd63c7fa83a45f57cd1970aa7678a6a61f0