Malware Analysis Report

2024-09-09 17:18

Sample ID 240613-3jfsmsygrr
Target a71eb0e83ed2e827da8f7555e57f37b8_JaffaCakes118
SHA256 514ac20734c27ff2b35f2014d8463ac5ecc4ec5e9ff6911c5cf6d83e2a1c3199
Tags
evasion persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

514ac20734c27ff2b35f2014d8463ac5ecc4ec5e9ff6911c5cf6d83e2a1c3199

Threat Level: Likely malicious

The file a71eb0e83ed2e827da8f7555e57f37b8_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

evasion persistence

Checks if the Android device is rooted.

Loads dropped Dex/Jar

Requests dangerous framework permissions

Checks the presence of a debugger

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks memory information

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-13 23:32

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 23:32

Reported

2024-06-13 23:36

Platform

android-x86-arm-20240611.1-en

Max time kernel

23s

Max time network

130s

Command Line

com.orangeapps.piratetreasure

Signatures

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /system/app/Superuser.apk N/A N/A
N/A /system/xbin/su N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.orangeapps.piratetreasure/app_app_apk/piratetreasure.dat.jar N/A N/A
N/A /data/user/0/com.orangeapps.piratetreasure/app_app_apk/piratetreasure.dat.jar N/A N/A

Checks the presence of a debugger

evasion

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.orangeapps.piratetreasure

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.orangeapps.piratetreasure/app_app_apk/piratetreasure.dat.jar --output-vdex-fd=44 --oat-fd=45 --oat-location=/data/user/0/com.orangeapps.piratetreasure/app_app_apk/oat/x86/piratetreasure.dat.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
GB 172.217.169.74:443 tcp
N/A 224.0.0.251:5353 udp
GB 142.250.187.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp

Files

/data/data/com.orangeapps.piratetreasure/files/file

MD5 d1531b1622de54fe3a0187c3344600e9
SHA1 d47cbc8e977ffc6f492483716f00534153677778
SHA256 3bdbb4fe8397cd2b842430b39ccff01a8663c751945ef5e9a09e267fb8b1d359
SHA512 e1931e50078ec69a0ba99ee2098dfe20afce3c7a75283e50b585ef585ed8eb28db887895fa73b04991e6e590ddbf71ceeaffe37d836068348e5f7fc7049c6d12

/data/data/com.orangeapps.piratetreasure/files/file

MD5 3fe124a3f1dc724866389606124b4a66
SHA1 4266585ae97271ee0ee9477ad5e34adbadc7fe9d
SHA256 66628d10c7d8afd0be9caa785f97f5f6e56a48a13f2fe2441cb8a05c8952ccb2
SHA512 0fff6f2ea5d8de1d29de5cbda60b9d16e06e32445cf0341aea99fbed142fc72c87d6ade10316c6c6bd3cf8abb988a9d9e192a15f79cd51592e70d09ce069adfe

/data/data/com.orangeapps.piratetreasure/files/file

MD5 435e56724ae107edf802dd0eae214ede
SHA1 3f576373235556ecd6a55237f58f804eedfeee3e
SHA256 42bccabf3a89a3bfef7635c9158e54c966386593f7ae23cb7cbcbf1c85e904f2
SHA512 c2e9b785574d2ca4587d50d3d7a7c9d5039027c96063e391a0f209ad540887c5f15e2dff954423b5562127391c72d9d4cf66860a64183310092129a89e51ed51

/data/data/com.orangeapps.piratetreasure/files/file

MD5 8f33267296a3a2772877985b4ea8eb6a
SHA1 d246c8c6ca8740efb932d1221776847c12a3369f
SHA256 c96f2a208a97d545bfa143eb1b0c4abd9bbdf78bf52c37e1936beed1a1e4e539
SHA512 b1784217f54bdf8f39d0991edf18548fb7bd918b4c5ac8b31ba171b441f4cd911e168d4132e5c40e69472860a6d28a280389af2f8d8a44cc76cc6535025412a8

/data/data/com.orangeapps.piratetreasure/files/file

MD5 08625011432701e0b0d87b735239229c
SHA1 497a5fbc605d377d3fb782d3d475afc78b1a4df3
SHA256 15f89de60788d10657a4c3c54ad701acb6426646801cac7de8f2325f8d6c88df
SHA512 cd61bd8d7ac287b98f1554451a6787503674a6be792a9cafad69893bd59388b2fff9310a7f344ff814cd2d1e9f39fd63a9c4654416184e506454e5ce18168fe1

/data/data/com.orangeapps.piratetreasure/files/file

MD5 b3c16b6c736fa4782b4c455f37676b65
SHA1 40b4dbeb65a913cd5a9dbc69bae6ea80f5320034
SHA256 6e54c4c7b1f47024f7a5b7803cd7a9c055cf829c04cb075afbba6ee257f83802
SHA512 63d2b165b105cf18141859ee1e8541c187678fd3c504f38508f420de22d9b862b2a99c517718e3984bcf1cf0f342d7d3c5d5de5a3bdff50eb95eb6d93cba458a

/data/user/0/com.orangeapps.piratetreasure/app_app_apk/piratetreasure.dat.jar

MD5 7c26f0c24870b29480af306133903d54
SHA1 b2f8b2baf3f2b0cadacc40e55650fecbe8aa7c5b
SHA256 0c4683edf09d7adc738e58b1a15ebd92d4a196fafe1ecd628fdea3c6c75031a3
SHA512 14b0088bf99065c14f5599a3bb8f09a2e384fb2c941e1d5a0cc25b4aa1c3d64b5bdf4145702ebf85d5b63e0a70e1946c93714d1f1f3013f9d62d59982cd34f83

/data/user/0/com.orangeapps.piratetreasure/app_app_apk/piratetreasure.dat.jar

MD5 3af6405a2eaaf687153069eb7960dca2
SHA1 9a6566334b5991e71433e2b69d66a7b6ef610763
SHA256 abb096e87a9e6c5f53763959e5c635824b0bdbbf94f93051ff6e1fe7a5bbddb1
SHA512 c4726c4f2ad50dd2dfd38be15abafb48bd973d5ca30e17bcc84a38384fcf2a46a98ac791fe65e20821c2278c7e34025bbceb31c664219a040ef3d7476bff128d

/data/data/com.orangeapps.piratetreasure/files/.Fabric/com.crashlytics.sdk.android.crashlytics-core/666B81B503A8-0001-10AF-B111DD12ECB4BeginSession.cls_temp

MD5 c1026344d45359f54b8fcc1e029e2a6b
SHA1 b768d473e2771028687685b9108d275adcc2d84d
SHA256 f5b625975bcd1ef80790ae1d0a79818337af61c448300c0ded864f7ed0127875
SHA512 ee205999a4d94d6d6feae0a4b838a70f6e1ca3714039c5bee8969ee6a75bb5b53e79bff49bb2ab75a144c93ae805226538c87bf02d140827ac5582f603746699

/data/data/com.orangeapps.piratetreasure/files/.Fabric/com.crashlytics.sdk.android.crashlytics-core/666B81B503A8-0001-10AF-B111DD12ECB4SessionApp.cls_temp

MD5 ea9c2b6327c9f934fe15f16814cd4c53
SHA1 808f44318dd4f415f1d0fb38abdfbc09611fc43d
SHA256 fb3cc46393f1e7609bcfec5684da73620ea6744820d5a89946f2e8ac654bc25f
SHA512 53609ee1f5011b95dcee04eb58b4badfe5d4c3cab125e15ec2bf2f23db6b10f5ad27e0f4c4eb1ad751285f7ad8e77a49a8c031f6a8bfef467b0f6398abbcf153

/data/data/com.orangeapps.piratetreasure/files/.Fabric/com.crashlytics.sdk.android.crashlytics-core/666B81B503A8-0001-10AF-B111DD12ECB4SessionOS.cls_temp

MD5 9b3d4522944ce6396563812bfdb92fa9
SHA1 6d2a6133c8f01938a48ccc77ef86ad8ca335c020
SHA256 d32805d685a3f50caa7f1c0bd7c8804c4d937a866513289f60e3184f7a591ed9
SHA512 091d87643712530bf9006135db42a5a50742bb5ca3026bcc5f2c1c17bf4fd984a8938d29263b0abde3d15cac196d2230902534e200b0b79485e3a1bd97d95727

/data/data/com.orangeapps.piratetreasure/files/.Fabric/com.crashlytics.sdk.android:answers/session_analytics.tap.tmp

MD5 c33583fae4e0b61cde1c5b9227963237
SHA1 fe2ebe4d27469af1460f7e852031a04208ef629b
SHA256 35c6d6e5b93657e4a741a1cec71c21813fe05aab219909ebbb0f62fb0ae648dc
SHA512 fa09047004bec791b23f0dade0b64f8ab9bbd67555505e0d0818f6e89dfe56f474df80db0786d081d36adf23a5bacea40275ba043444a3a85d3d9612575bdd1e

/data/data/com.orangeapps.piratetreasure/files/.Fabric/com.crashlytics.sdk.android:answers/session_analytics.tap

MD5 a5c3fe07a4a208fb28ca6e697cdb419b
SHA1 54c042dd0aade0f2884c4f624c6aec206c3d036a
SHA256 04ae178f6b1e34a447ab4216e0388345b34b92e95539ded9c95740dc4867429f
SHA512 ffa5c26c6be4b2bdc517c4b33330d07dfbdf745937c808656371bfee47f1be7c7ea38666b6eace5a23eeaec72cf366c07174858594b828b7df54f88a9fa532ba

/data/data/com.orangeapps.piratetreasure/files/.Fabric/com.crashlytics.sdk.android:answers/session_analytics_to_send/sa_c7753d4e-aca0-4755-8c89-150d37b04b7e_1718321590843.tap

MD5 d7aafc788c6b07ca0a1c62a0158310ae
SHA1 cf33f8b025adec9d809f3499a8b6f3c90c41a622
SHA256 872023ffa142d2190c4effde51d31cb789aff9524d3e2232c792651e93d80558
SHA512 6cca0e370b6f58eb0c8245d76673560d99205014af082ec67212cdc04543857bdc483e87a45dbb111ce8ea0d1b777a02ad3aa7e5d866db7bdd348babc2005d78

/data/data/com.orangeapps.piratetreasure/files/.Fabric/com.crashlytics.sdk.android.crashlytics-core/666B81B503A8-0001-10AF-B111DD12ECB4SessionDevice.cls_temp

MD5 4211b07e92f8a6ba2f5e67d631780b16
SHA1 c3a83d4dfa720533e29f9314cd84d8afadfcc9ce
SHA256 3e83fd5afade73c059cca7f6da453d441f217242e2d8d5575e249639be6864fd
SHA512 7674e9c874f22344878750af8f64d2e2effde2b11cc96857eb48aa230735f598a5040c13c6d2a4cac1de8e9d32e69336d983f0dafd109c5bd23694c451b1b529

/data/data/com.orangeapps.piratetreasure/files/.Fabric/com.crashlytics.sdk.android:answers/session_analytics.tap

MD5 d7da02de62045d8c8a47768dcf388dd8
SHA1 b1937c68178de7890471406f84af4d4dad8e1d71
SHA256 8742cabe9aef159fb70ea400c1e7b05913cb65317e712d9bef1d14b61186fcae
SHA512 dfb6edeeff9bf54e56ec1e5793dd7a87565a4cd2b8c93ff1e41ce0598fc8ae8ab32647d79e1236fbe0eb3a20b7c2308bc2d1809291b703d299e70782bcd52288