Malware Analysis Report

2024-09-09 13:19

Sample ID 240613-abzasswelf
Target a30f0843c579505b6149e69daeda3d58_JaffaCakes118
SHA256 4a9d76ef21a86f91fb239054fdbeb47d77bb21179b3702887ca0604248c25867
Tags
banker collection discovery evasion impact
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

4a9d76ef21a86f91fb239054fdbeb47d77bb21179b3702887ca0604248c25867

Threat Level: Shows suspicious behavior

The file a30f0843c579505b6149e69daeda3d58_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

banker collection discovery evasion impact

Queries the phone number (MSISDN for GSM devices)

Requests cell location

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Acquires the wake lock

Queries information about active data network

Queries information about the current Wi-Fi connection

Requests dangerous framework permissions

Reads information about phone network operator.

Queries the unique device ID (IMEI, MEID, IMSI)

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-13 00:02

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 00:02

Reported

2024-06-13 00:06

Platform

android-x86-arm-20240611.1-en

Max time kernel

87s

Max time network

150s

Command Line

com.sim.gerard.bgubhun

Signatures

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Requests cell location

collection discovery evasion
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getCellLocation N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Reads information about phone network operator.

discovery

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.sim.gerard.bgubhun

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 csapi.adfeiwo.com udp
CN 121.199.58.16:8088 tcp
HK 154.86.204.72:9999 csapi.adfeiwo.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 ad.lanjingke.com udp
HK 154.86.204.72:9999 csapi.adfeiwo.com tcp
GB 216.58.201.110:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
CN 121.199.58.16:8088 tcp
US 1.1.1.1:53 ak47.cooguo.com udp
US 1.1.1.1:53 img.ninebox.cn udp
HK 154.86.204.72:9999 csapi.adfeiwo.com tcp

Files

/data/data/com.sim.gerard.bgubhun/files/setting.txt

MD5 90b604f4273e9af48eb421ee3052b903
SHA1 dcf95523092e5d850aa3e8b56a60104ba939aada
SHA256 48d58ff3b75b08c0e5886ba822501ed87d34bc4edaa92c5c774b89e224700a24
SHA512 a740b5a5a3acee4328da3b986c06e02098d6117e085074fbdc8eeedf477e7ae2527cca100e3d259d57feec7f2a84731924ac6e7bcb70701b7152088151be291b

/storage/emulated/0/Download/ads/clst.dat

MD5 44787d13320c41fe0128d47a2804503a
SHA1 80c3c8711e1d33fdec235a3231771c409bc05747
SHA256 129ad76f4928088d897081d5d95d9f449691dc735767f68435b061504ef06954
SHA512 52ffde4c501260521097d63233ab062003fe9e6f55fe39f72a3870020ec7dd82647c907615fc2c07f270af9dbddc744ac71e6e2c226e7d99a0781e597aa3f9d0

/storage/emulated/0/Android/data/code/KI.DAT

MD5 2b53b6b030d7bdb5da6ea0d501b6a165
SHA1 fa4e9e8d724d91963a3fa3def11790559cac11c1
SHA256 d8209526853a232417c586b6c130ed3ec53af8a2928b95d032ddcee37b4698fc
SHA512 dceddb69f3c907593c47edd56cea3b5cd68e560f020244e6abf9e63c58263d38b36e8736617758f2c5c7292bffd815af44fee3805217aa9065cd143e0599b128

/storage/emulated/0/Download/9j/1.dat

MD5 4bdf32d4972c2adae82c299d0d385d75
SHA1 c13ecbf155453ee71b9375e49e04bea8eaf64402
SHA256 868e0f7349b166c8be4f3912792383f4b075ccf79e8586b3fdeea1bc2550cd19
SHA512 19c10ce0d4c671ac087d086351fc82dee6fa61e78f0cc8edf5981d263196fe294988823b591c4d96b8c6b448e998467f12da442c58ea2b5ddbe96b33c7ff5b26

/storage/emulated/0/Android/data/code/MID.DAT

MD5 c679783f144b5b77cbcc89952b9590de
SHA1 339c29f74856fbb0a27070d1d90c1acde4d49142
SHA256 03e9e03b09bb456d2e730f787e5b232d119d59547959fd73617cbf44dcf56de3
SHA512 5ac8cdf1e7950029ccd418c6df2991e9763083cc631f549ab2302758b0cd634817c1f712db7310927ba39aa9612e7be746532142434d314fb7231e2f97d4aa2f

/storage/emulated/0/ljk/capin/time.dat

MD5 4cf2db54d9485d248873a92f12ecd7f0
SHA1 bb979fc0936ff5512da7cb65697413061029cbdd
SHA256 443029d9d352531a3739fbb17021963b5f29479995962519dda2c37b29974c03
SHA512 5205bc5f709a76ee1b528c1c14de14954f68641bccc79197343363160ec7892a86b041cac3dd843b9a80de6a0256c1c6c07cb83f52176b7c5108bd2c1458be10

/data/data/com.sim.gerard.bgubhun/databases/lcdownloads-journal

MD5 b36d152f4860de13bfb441faa041599a
SHA1 468507ca7bc6c7968606c84ea619d00b0f61ab9d
SHA256 d3423f84343d479e1475fbeb2b952d603d413f50edc8da616ec60995fe4ea1f0
SHA512 39a4b0a6e4fbc91ece3a19e37c601d4f777c3e7c7228e3d758e13c8407af914f9251debbc43e989bb1d3d0cc2c4cc134f74744867aad82d21e9cc059282f2ee9

/data/data/com.sim.gerard.bgubhun/databases/lcdownloads

MD5 ccafe434dee3daa40fe525297f69cc34
SHA1 f2bffaee6cb9c0e5c6ecbd78388a5502702b1d05
SHA256 dfdc489a14040bbb8543b3c9249b664db5e9dec15ea5b0e5a040f8493dd85bcc
SHA512 fbea0b53395981dbad127c709dad92795947d5ec817927da448ef9c4744bf9b38afb680a43892ec2f309197336c034f7f89ab03e109cf1bd8f70c33952e8353c

/data/data/com.sim.gerard.bgubhun/databases/lcdownloads-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.sim.gerard.bgubhun/databases/lcdownloads-wal

MD5 d3084fb56c27bcddcf8feb0cc5846388
SHA1 986a15812c1ca59cb6300680d35973484cbab972
SHA256 71439beb81b7c6419699ef8f994a46acbec3d900bc3725e0925b584b38bb7e93
SHA512 4a3982acb9d46478e6fc7ea1bee8cc3ad7883923b2aac25947e1b19a3c34fb1bdb612c902a54bac9fb05300c45048f277f8c4596c68600fe133ff8b2a73a75ed

/storage/emulated/0/Download/ads/rt.dat

MD5 21ddcdc0be65cfdbf076ba31e647268f
SHA1 050cb6673ba1f4473b56bcd3be19ecb76a3ae38a
SHA256 fc5b516d23ab6867f6b9076828adf44a13b3a289eefc3bec185e9e95ef053700
SHA512 fb91bd5bc9bb133e546b9a170c7f0cdc44b7fb77532ae093e378c153df11d0faf86d89bdb0fd229fca154080d6f6669dc172ae0a2f458aa5662b1167306ecc4b

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 00:02

Reported

2024-06-13 00:06

Platform

android-x64-20240611.1-en

Max time kernel

64s

Max time network

151s

Command Line

com.sim.gerard.bgubhun

Signatures

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Requests cell location

collection discovery evasion
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getCellLocation N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Reads information about phone network operator.

discovery

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.sim.gerard.bgubhun

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 csapi.adfeiwo.com udp
CN 121.199.58.16:8088 tcp
HK 154.86.204.72:9999 csapi.adfeiwo.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.169.40:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 ad.lanjingke.com udp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.204.78:443 android.apis.google.com tcp
GB 172.217.169.46:443 tcp
HK 154.86.204.72:9999 csapi.adfeiwo.com tcp
CN 121.199.58.16:8088 tcp
GB 172.217.16.226:443 tcp
GB 142.250.178.14:443 tcp
GB 142.250.178.4:443 tcp
GB 142.250.178.4:443 tcp
US 1.1.1.1:53 www.google.com udp
GB 172.217.169.68:443 www.google.com tcp
HK 154.86.204.72:9999 csapi.adfeiwo.com tcp

Files

/data/data/com.sim.gerard.bgubhun/files/setting.txt

MD5 d904514dcf72e0aae8a6183b3220977e
SHA1 ce62e1dbb8b20292aa7580d1f3499c3f2c1c5c2d
SHA256 4dbbd8c6247aa1c3f6f1e781123c0ba46cfcd07dc4a90c720bfaaba94a7927d0
SHA512 30bbe3f927176eb0569841b1835362882f3417e4d1ca2338ef012e327dc883cd540e2cc133bc1ab4995c65a54bfe9cd091bc833ff930743d16f613825d87b241

/storage/emulated/0/Download/ads/clst.dat

MD5 daca150bd0e691724c3e00d163515bc9
SHA1 09d96deae86123b51f21b429229d25f5e1d4838c
SHA256 b374af53726b9c72266ed0112cb278f7bf274737d909157c1e1c450b475a4b74
SHA512 e0d5a8d207d47e297eafc97a811cd08262cb3cbef3c9c171789df15944bdf8b7126106d56ce1cebd64912e21c48bc7a7ef755647e9bec4b06b62731270e71df8

/storage/emulated/0/Download/9j/1.dat

MD5 6a5db17ef8a43dcf81b848c15a8bbc21
SHA1 e6ee102b54ed36ae8f9a61d4b585b87e05ee7f59
SHA256 e4b2cccde8a5db70fdcbfcb7eaf74771aa2200081d7e5c671b92afd41e999118
SHA512 7723f274e5ccb84d4dc8f92bbf58f052b2135bb89a688cb6a7824510cb1d122fc218cd32ec1c5d5454d6a66c9a9407183ffb2b1c0eb00722b57b8d517392147e

/storage/emulated/0/ljk/capin/time.dat

MD5 ba1359d94d8bd78cf6b732027bffca47
SHA1 6bfa656280ca69c6254360ec613df3b2554685cc
SHA256 77cc99206d9f35ac283554cff8f6337e97e5b91f126ee394f73a49003e39b54d
SHA512 5ec3b231172c00f6d6d6196232f9e9f6615a1f79e8d4781c7d6a4b0877b5f0b643e850947fd65c9acb2cda39fa8c9b5113000243f9b43358892151efb2994869

/data/data/com.sim.gerard.bgubhun/databases/lcdownloads-journal

MD5 bfb44578e4df1b482fe260ddd1a049c9
SHA1 ee2e9c4f7116a92dbe563f2c7499baf0506497f3
SHA256 e57e181ca1598c59470be7c7094a6e06d29a8facde5d216134546ec355647afc
SHA512 3de0c5fd4f8ea9f4e04050958d0bb2753d356ac761b92cf5fc6d0c54c409f790d141be2cea7aa1ae4bf1a6692cfa42dd774c846ae594ce91156283acec1bf73b

/data/data/com.sim.gerard.bgubhun/databases/lcdownloads

MD5 0a2ba49032b8868e7e307195a92a3463
SHA1 05f3d6d75a6d19068e0c7a609aeabe5d639eb945
SHA256 ef820a304ba1e7633f04e956b628bd2ae19c940ed9385c19a7ba00aecd29fd1a
SHA512 08fa17e17d7c3c88ff4d093e008ffbd3e2b2ddb8ca0041476b3baee7a31c06a2896632c842a2298684f0dbb8a15b950836669d7d749757fbd5d3718d79ca30e4

/data/data/com.sim.gerard.bgubhun/databases/lcdownloads-journal

MD5 a78c58049a8bbddf02327ee122d7a156
SHA1 79d0a4d43e3ad16b18a83b8691dad4d70c14b5f4
SHA256 817eff7b6325e2ba29194062a79af00c2f49d3259285e28b6d848d0a5b077b3a
SHA512 067612b752ba2eba439170dab71a9ae9ce079396012e2e8424620b22d60e808b30c0e9a8cae07ea85ceecf022ba32de0af410368dcdd87d076ba7803d0b2d57f

/data/data/com.sim.gerard.bgubhun/databases/lcdownloads-journal

MD5 6922ab10be3e9c903fcdbcead6bf2ca7
SHA1 95da0441ff72bbe064c4b04feebc0d88fc5f00ba
SHA256 5a0bb56b8cc4fba546b4c4631e170fe7c3fe885dc5b4cbde1fd67ccc389b8aa5
SHA512 7767061cb0f85e595c5da1bcc94f6820eae2f4362ba6157ad213f9852961fe139c33337afe0b49159f0831de58a79289a7b1090df5ff6304864e9df0be6faf42

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-13 00:02

Reported

2024-06-13 00:06

Platform

android-x64-arm64-20240611.1-en

Max time kernel

64s

Max time network

155s

Command Line

com.sim.gerard.bgubhun

Signatures

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Requests cell location

collection discovery evasion
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getCellLocation N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Reads information about phone network operator.

discovery

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.sim.gerard.bgubhun

Network

Country Destination Domain Proto
GB 142.250.187.206:443 tcp
GB 142.250.187.206:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 csapi.adfeiwo.com udp
CN 121.199.58.16:8088 tcp
HK 154.86.204.72:9999 csapi.adfeiwo.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.180.8:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 ad.lanjingke.com udp
HK 154.86.204.72:9999 csapi.adfeiwo.com tcp
CN 121.199.58.16:8088 tcp
GB 216.58.212.196:443 tcp
GB 216.58.212.196:443 tcp
HK 154.86.204.72:9999 csapi.adfeiwo.com tcp
GB 216.58.201.110:443 tcp
GB 216.58.213.2:443 tcp

Files

/data/user/0/com.sim.gerard.bgubhun/files/setting.txt

MD5 a779bee516a733abd1254248508445ba
SHA1 24688805b27b56f7f1671b27acec78c6da13c041
SHA256 1b16ffc4ee1e6a2cda838af4943313a3cf0e5816cf40ee7285f7557ebe3fe155
SHA512 998af21915a4b06bc4f3203e4662c8f01cf3ae18f49ef835c82ab582b8d76669ce936f972dc42dc1ed39ecf4a185ce74c51bfb9b9d868e78c1ab7ce87266bdd4

/storage/emulated/0/download/ads/clst.dat

MD5 2a50af537b57beeb23965939469a3e68
SHA1 b50502a35a20e39b6f0e1454bbfb10db5e779cb3
SHA256 89ab9673d48883e6ba3dfa884944f31aacb6c9226e67c60d8099cee30acfe4dd
SHA512 cab38fc59984c5744f3c46fff35864412125ee0ff9da550f51380c0db9b94ccaebd91ec4a88892347fa3c5b554e6af97d597ca7c8e3f86285680db216808c0de

/storage/emulated/0/download/9j/1.dat

MD5 04e7b170f363789941d726237fdf3adc
SHA1 cba297256f08b1902b3b3a7fe47c755601cd82ca
SHA256 d228a88a5437a171c17cdffc00eb855bb618528c080e019c8bd4a0dd06286ab1
SHA512 3b7e32b395eabc1eb745e7864595f24192807adbed34d313409ddf4e90b81d5933eee02031467d061f80f47af4d645505dc1b3deebe540cbc461a513cf63be69

/storage/emulated/0/ljk/capin/time.dat

MD5 22e0e8a1b5562644084ed9e03fa2cabf
SHA1 3c1531c2de985482d26b35978c6521f2215140ad
SHA256 a396d1f391a03090156e8e960b9f900f9b83f75337e7156e97ea4de4558f0b3e
SHA512 d5e37d6690fe20361a714020f3773892ee193d7d88482653ef8fff9223fcb7f1d1223324ade7b62f14e2b3bf7e35b6a0154258407b416e3ddf5ada71260cba68

/data/user/0/com.sim.gerard.bgubhun/databases/lcdownloads-journal

MD5 aa74131e2b6bb33562ec9b6706b7a639
SHA1 b1ef877fab52148107f5e6b8d1937f6118cf15a1
SHA256 3c9b10e1412964379c9934bf4a078e974e23343bfd405e04612bcd400df6d229
SHA512 0c93b8c3e236f354959baf7dfaccdde26631c4cc0251e3795be67fb73baf0a643ad4e0802dbc566d3c70324d025936e0ddc0dd938bc356d106f6d7bc18f65aea

/data/user/0/com.sim.gerard.bgubhun/databases/lcdownloads

MD5 e5d63b234c96d67acce042d109ba11b8
SHA1 7af137445cebaa3f5f6044f91506130659d6e381
SHA256 e65a40dcdf919859725a22f038d3ff4e555b66d6685d5a2cba25bbe20bae66cf
SHA512 b8bdedf06067fb8d4cbb632cafe52fd29237039702f45e19ae79072edb835f958fb2b79225774c73f46c02752cc52f13a29b8df641005466a83b4178bbcc9288

/data/user/0/com.sim.gerard.bgubhun/databases/lcdownloads-journal

MD5 a04571de39bfc285b3983421f51de5b6
SHA1 8b05b27eaaf0513c410bef7c6d88d723b12f8b6e
SHA256 2f9d8dbe6b905284da53ce9d272ca6ad49f27e008d45c2e665922a2cb98817ee
SHA512 0705405f04b1d9be7ac95557f3165406b3c3d56b67eddc7bc2e5a4f98e29a1f9f8fc24646a01026bba6ce5b1ef628fd2c69d4aee725669d28f76d7234eba4a54

/data/user/0/com.sim.gerard.bgubhun/databases/lcdownloads-journal

MD5 75eec6366b7516236ff1c5903cbbdbfd
SHA1 4764ff32a1af59563bc1276b1f36ac322d225029
SHA256 6acae95a9759ed90ec9520c91392869e3c58b8fc9e237f6c178bbc95e6745ad3
SHA512 27a46782eb82e7a5a130cbcc6577858d5bae0eaa9d5855318f313493ebf1ffd218209d3670d04b874a17d8669dea8eea8de29ad90206462d6e2758e413181a3a