Malware Analysis Report

2024-09-09 17:17

Sample ID 240613-3ynrsszeqq
Target a733385af1440d1473f9d03674086400_JaffaCakes118
SHA256 be7bc26ee7c903c59ed98eb6e7f0becc24d7077fab41875a626ce334d8b0aaf1
Tags
discovery persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

be7bc26ee7c903c59ed98eb6e7f0becc24d7077fab41875a626ce334d8b0aaf1

Threat Level: Shows suspicious behavior

The file a733385af1440d1473f9d03674086400_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery persistence

Queries information about running processes on the device

Requests dangerous framework permissions

Acquires the wake lock

Queries information about active data network

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks CPU information

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-13 23:55

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to monitor incoming MMS messages. android.permission.RECEIVE_MMS N/A N/A
Allows an application to see the number being dialed during an outgoing call with the option to redirect the call to a different number or abort the call altogether. android.permission.PROCESS_OUTGOING_CALLS N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 23:55

Reported

2024-06-13 23:58

Platform

android-x86-arm-20240611.1-en

Max time kernel

137s

Max time network

184s

Command Line

com.ifreetalk.ftalk

Signatures

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Processes

com.ifreetalk.ftalk

/system/bin/cat /sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_max_freq

Network

Country Destination Domain Proto
GB 172.217.169.74:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 gk2.ifreetalk.com udp
CN 122.9.16.196:80 gk2.ifreetalk.com tcp
US 1.1.1.1:53 tj.ifreetalk.com udp
US 1.1.1.1:53 report.ifreetalk.com udp
CN 47.93.19.164:80 report.ifreetalk.com tcp
CN 154.8.189.40:80 report.ifreetalk.com tcp
GB 142.250.187.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.212.238:443 android.apis.google.com tcp
CN 122.9.16.196:443 gk2.ifreetalk.com tcp
CN 154.8.190.249:80 report.ifreetalk.com tcp
CN 122.9.16.196:6300 gk2.ifreetalk.com tcp
CN 39.106.68.175:80 report.ifreetalk.com tcp
US 1.1.1.1:53 gk1.ifreetalk.com udp
CN 122.9.16.196:80 gk1.ifreetalk.com tcp
CN 122.9.16.196:443 gk1.ifreetalk.com tcp
CN 47.93.19.164:80 report.ifreetalk.com tcp
CN 47.94.248.201:80 report.ifreetalk.com tcp
CN 122.9.16.196:6300 gk1.ifreetalk.com tcp
CN 47.95.197.220:80 report.ifreetalk.com tcp
CN 122.9.16.196:80 gk1.ifreetalk.com tcp
CN 140.143.51.218:80 report.ifreetalk.com tcp
CN 122.9.16.196:443 gk1.ifreetalk.com tcp
CN 140.143.212.63:80 report.ifreetalk.com tcp
CN 122.9.16.196:6300 gk1.ifreetalk.com tcp
CN 122.9.16.196:80 gk1.ifreetalk.com tcp
CN 122.9.16.196:443 gk1.ifreetalk.com tcp
CN 122.9.16.196:6300 gk1.ifreetalk.com tcp
CN 122.9.16.196:80 gk1.ifreetalk.com tcp
CN 122.9.16.196:443 gk1.ifreetalk.com tcp
CN 47.94.248.201:80 report.ifreetalk.com tcp
CN 122.9.16.196:6300 gk1.ifreetalk.com tcp
CN 122.9.16.196:80 gk1.ifreetalk.com tcp
CN 122.9.16.196:443 gk1.ifreetalk.com tcp
CN 122.9.16.196:6300 gk1.ifreetalk.com tcp

Files

/data/data/com.ifreetalk.ftalk/databases/ftalk.db-journal

MD5 ba230acf0a05981385bf23a149ca5170
SHA1 4bc87333256b635292ef9da9eebb22193eba912a
SHA256 88faefdd55327a70d2ae42cfa0ac00891baf2eb809c8f8dac001e6656bf027c7
SHA512 ed8c92c398cb5ab57dd36c1c4c20826fbbd8bfd72983945bee7dbf1678b6780b43711e08771aa6b705fd13f2957dbb01883a6ddc3e77bb4aeddb9608f1c18d26

/data/data/com.ifreetalk.ftalk/databases/ftalk.db

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.ifreetalk.ftalk/databases/ftalk.db-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.ifreetalk.ftalk/databases/ftalk.db-wal

MD5 9aaee876eb59deab9236f414b8f493e8
SHA1 487e11e24b732d156b5261baf0f6484e1f511719
SHA256 dd0c7991468bf64b1b6dc502f65140ad60d0074a17d8b3ad3de03f47ef764b0e
SHA512 c548580c8c0d1228ab23d39471010244f144e927565c2c6e7b0b8406661798b7265db584c174842e507a1e59577f9c4523e339e31159ab6a50afea3b50475743

/storage/emulated/0/ifreetalk/download/imgcache/journal.tmp

MD5 8c92de9ce46d41a22f3b20f77404cc1d
SHA1 8671a6dca00edb72be47363a7071be65cf270373
SHA256 68bb33ddeed9200be85a71f70b377985f9ee68e91578afbde8321463396f1274
SHA512 30f45fe9954215d6adafcc8f0a060a7ff41963a64f9b849a37f0d18fe045038d429ec13bf15226769c4ba78dad3c52f3d9e0dbbb4fcdea4828a1efe956e48f56

/storage/emulated/0/ifreetalk/download/action/json/0000.json

MD5 3bebf43aee3d1b08afb5e08df1d7880b
SHA1 d852b44b34db7db381abdcd6d61c492aaf2e13be
SHA256 0b66f4c61f3c5e849b2d5234f23ea35290f68e28826188ea000f5e8c42f67e22
SHA512 9a63bf7320b82c50829501bb9332383159b9ea976bf162c7f0babd5d268431186fbcd1334239b6ade22dd324314828378c594585c0af6879da41c173e24d75c5

/storage/emulated/0/ifreetalk/download/action/ACTION000/thumb.png

MD5 2c342ff1ea2ce84056749b0eb3003c96
SHA1 897f3725ec79c30075e71bb98c18c3c028e90bcb
SHA256 de7cdf8856fe4f6b85eb88495ef7970e78767834db42082781e88481009ec4f2
SHA512 97ab8eed691da2fef68a809dac901d7af85bb8c665fa0206a47184f365ec7b1831a2130b5339dbff6a5804e4dd1780e6c3f5617918ac3a4e7275095ba07b0080

/storage/emulated/0/ifreetalk/download/action/ACTION001/thumb.png

MD5 92b7d47aca056ec316aee120ca79a0b2
SHA1 811068ecb1f1f023bd6ed9c33d7c5b38d1394c63
SHA256 0c0ace35a9fba4290cb721280bc499ad8973f8a61542dbc3738159f6ff64617e
SHA512 d71386c1f38aac97f260de4d9ed441c1f860d4b55f4f030d7f0e4495320a8465641c38f239fb482df50bc6bd36f99cf77578ace44f1d076902a7611eab8f0a54

/storage/emulated/0/ifreetalk/download/action/ACTION002/thumb.png

MD5 91d883581d590451fa1d5b617a793f8d
SHA1 dae876a59237400b31fd1c30c9e467c0bfaecc7d
SHA256 4859b0f4bd8b30194eefe6c3993e3ae48a06ead119cef353d7a03a8dc4cf3d65
SHA512 16e5e37bf6894105bfb14097d6b08eabd4a8480a262e9817d3215b3815f07b86daf0f19190fcebd4a580dcaa82286c0df429b31a5d47ae4eb84e5777ea0c1a19

/storage/emulated/0/ifreetalk/download/action/ACTION010/thumb.png

MD5 4e8d097427319c04663269f0eb5b6d0b
SHA1 47963b13c790091f8acc5ece0b3978028503b08d
SHA256 27ebf2b512060d5e4da08e455139acbccd77a916e0fc45ab525bca3cdfd8fc5e
SHA512 9f947644ddd81f55404db62810ba3793bf00ecab6bb1c7ad0fc0e88261c51592a79ad4437665000b3d1422dd299e4f1232aa37270ef90e73fb0ebff09e7bbde0

/storage/emulated/0/ifreetalk/download/action/ACTION011/thumb.png

MD5 0b48b3654802a369dc54ace4f6c34d7f
SHA1 cc5657c4eb9cadade6d6c5d11eb7e16fd8d2bba6
SHA256 e18a8c4bda6655c921436f305e23e079505a6a7de0c2a3c750b345b338b20f44
SHA512 d9c9dfb71f98220065d65485d0e5317efe4369bb6b02ad2d657a201dae97585ae32d6c9d8a8473d518998df87630e0bfe63721b95d5fcc4e374b800c3226a70f

/storage/emulated/0/ifreetalk/download/action/ACTION012/thumb.png

MD5 6beb56ca613811c13265b13ad90181ae
SHA1 efa170c344cb23d1848faf798d1033c6b7c85717
SHA256 cf62da15f3c1ee2c80df203f5399dd5c3e54ca34614c54f72781847e04c9bad1
SHA512 3cd7d78ca1160bc0fd3d17c84986a2a38841068fa1127e1dd593ba593bb4ff5af4070f5c3930c670f6e3d12c4c0ac9388aac17fee6f65eb7852c67e387797cf2

/storage/emulated/0/ifreetalk/download/action/ACTION013/thumb.png

MD5 1a102b45096f2615f0258e4fecb58a77
SHA1 2b933375f2dc29844c5d6374f2669367b9bd99a2
SHA256 0e969d013a94d8eeba1cfddff6226ecc43e74784f4aa2f639b8c350521c6c0a7
SHA512 92c938f05107c469a4aaf5592e9eef2eb48a4d541edb1e40b2a6a47080850386f036c655e691c1ec4cc6831526dbba318de122ba63c7cd25f28e564e6492e526

/storage/emulated/0/ifreetalk/download/action/ACTION100/thumb.png

MD5 4301d94c670112130b8c017c83b69112
SHA1 d5d91d5a8275c7ddeccac0bb87a37e8232934fb8
SHA256 4c493cb76af244f9173f2c48333825c4dc7b0a6a863abb46d4765ff56af018d3
SHA512 e8fe39d4c93c8be8e7b6423740bdb51b153148fce9efa8d37b9a3ea018e9671c91236bcc0724b72b73e4975a19bbb6f883498004d2be8aad4489dafefd748018

/storage/emulated/0/ifreetalk/download/action/ACTION101/thumb.png

MD5 15268059b89fdc813e345bdc8d917c59
SHA1 cb0f9326cbbbc7af2dab334414dd344dae0663c0
SHA256 460d1d89dfaf016b05bd5e05d2debf0b81704b6832808d3f46cc03088d767bf9
SHA512 0bb2ef6d360a5e7c049c97d35b18b2615da02c190ddf1bb88c7140b5db4e0818511a811bbcabf841c5ad5a2203bc36a54489be0d5953157cf6d52fd0d5e3d373

/storage/emulated/0/ifreetalk/download/action/ACTION102/thumb.png

MD5 cc5b2d716b21cd19bdc32e08fdcd4625
SHA1 9befbaa60635f9ca6d10e4991378dd2354a8a529
SHA256 9ff9039a2eb3e2965788bac24a4488d556c17d7905880c41f2625d6953b4d231
SHA512 986ab6bdbca7317a5fa2139d82df8bebe8bc5e018f65d0d83b77557e796385145353e9b2c4e3a6e32a0471cee5275855f9b35f7a92e78a9ddbadda5b642061dd

/storage/emulated/0/ifreetalk/download/action/ACTION103/thumb.png

MD5 e8eec72d5bbcb0c6f7c56edb859ac09e
SHA1 055ffc028e110a1f5c3ce39684d3d793c9dbe6b4
SHA256 bd800a3a1a122b73e3cd459704bfcf6ba98af0f86b4665d81e1324668b90004a
SHA512 be764527fa73a594dd60712254b96fcda4ece0d83ab27c4281f02597bfb0f241ebf71998dd99f8e28e588d97560536c494d503215c10cb7bfd1810ea4e8d5c7c

/storage/emulated/0/ifreetalk/download/action/ACTION110/thumb.png

MD5 991134b1170bc97a5082edafc91643f1
SHA1 f7eefe52b7093d70ec38ff0e58acbaccdffad53b
SHA256 5beaff61dad2588027eb0a146ab70365f2cfc2b4472ddb951779286b69800302
SHA512 2565127ba3f424455615540da9bcba201d779dba8a3039a6e7d217558402a8fa5b846423e4ad1889e3313063c0dba10c3df58e0d763139f608f6d5f8af0472d6

/storage/emulated/0/ifreetalk/download/action/ACTION111/thumb.png

MD5 be7d7a1e98a3b57196f632751f002b6c
SHA1 d1c529ebeea19e0df047b374a7ecda0da7741007
SHA256 a1631a56c1c4864928a249ee8533d5d021d4becbf8d235ce03eef760bc08d89c
SHA512 11181b8a01951789f8854482d28d481b54d6da5213a8dbe553127d366c8c3b956cff1686e06cd8699f50853feb8762bf759f0235c58e683cbf3eceeb8741f7e4

/storage/emulated/0/ifreetalk/download/action/ACTION112/thumb.png

MD5 b905f4c4679f2b6b3dd260ff14bb1e3d
SHA1 efc6bca138eeae4cc3502f68e2c2ba7e5d0be3a5
SHA256 b3dc8f7ddfb2f94aea1b674c78cf66ff1c88629daedeaf3f9b1c3512aa9e79ff
SHA512 1f7c26b6a0b1d74c33b6b71ff5d38c1bb0be22a3a4c4f09b06b719f09901f16521b1238d1ee1dad83d54a7d81f0f3d81f7814660ab4e3ab2bf894a912cd62732

/storage/emulated/0/ifreetalk/download/action/ACTION113/thumb.png

MD5 7b2c28d202228e77004843aab49cde27
SHA1 0a7f5b704bfb02bc965835c3c6901fdad4a0df94
SHA256 a47a9f5430db1fc690e6766b75dee8a7ce0dd2d099eb66920d65133f9350e542
SHA512 5b5f68f21a7fff321846eed4e3b3a1d44ebb752cabed0289f94c1ef4a213f033d6cee03cdf5a3a9518e76676a2a5ce2d851c2d4edc84ffa7ff1d63cdd03ebd90

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 23:55

Reported

2024-06-13 23:58

Platform

android-x86-arm-20240611.1-en

Max time kernel

8s

Max time network

139s

Command Line

com.unionpay.uppay

Signatures

N/A

Processes

com.unionpay.uppay

Network

Country Destination Domain Proto
GB 142.250.178.3:443 tcp
N/A 224.0.0.251:5353 udp
GB 216.58.204.78:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.204.78:443 android.apis.google.com tcp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-13 23:55

Reported

2024-06-13 23:58

Platform

android-33-x64-arm64-20240611.1-en

Max time kernel

8s

Max time network

170s

Command Line

com.unionpay.uppay

Signatures

N/A

Processes

com.unionpay.uppay

Network

Country Destination Domain Proto
GB 216.58.212.196:443 tcp
N/A 224.0.0.251:5353 udp
GB 172.217.16.228:443 udp
GB 172.217.16.228:443 tcp
GB 142.250.187.202:443 udp
GB 142.250.187.202:443 tcp
GB 172.217.16.228:443 udp
US 162.159.61.3:443 tcp
US 162.159.61.3:443 tcp
US 162.159.61.3:443 udp
GB 142.250.179.228:443 tcp

Files

N/A