Malware Analysis Report

2024-09-09 17:53

Sample ID 240613-ewlmnaxfjl
Target a3cd92d8eee1013f61c8af939cc2a08e_JaffaCakes118
SHA256 36a9d03308e9ff83ac9a621899cab77c02c9c95182929b6fe03dc1548b4dbe5d
Tags
banker discovery evasion impact persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

36a9d03308e9ff83ac9a621899cab77c02c9c95182929b6fe03dc1548b4dbe5d

Threat Level: Shows suspicious behavior

The file a3cd92d8eee1013f61c8af939cc2a08e_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

banker discovery evasion impact persistence

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Makes use of the framework's foreground persistence service

Queries information about active data network

Requests dangerous framework permissions

Queries information about the current Wi-Fi connection

Uses Crypto APIs (Might try to encrypt user data)

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks memory information

Checks CPU information

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-13 04:17

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to request installing packages. android.permission.REQUEST_INSTALL_PACKAGES N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 04:17

Reported

2024-06-13 04:20

Platform

android-x86-arm-20240611.1-en

Max time kernel

71s

Max time network

152s

Command Line

com.hnjc.dl

Signatures

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Description Indicator Process Target
N/A alog.umeng.com N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.hnjc.dl

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 x3.jdkic.com udp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.179:80 alog.umeng.com tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
CN 223.109.148.177:80 alog.umeng.com tcp
CN 223.109.148.176:80 alog.umeng.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
US 1.1.1.1:53 alog.umeng.co udp

Files

/data/data/com.hnjc.dl/databases/hnjcDL.db-journal

MD5 b7ba6be0f628094df4e39d5fac74ed2a
SHA1 91a417156e9a01eacce9dc4de1633a8543f8f402
SHA256 273307ac432f93927b486912361e949f85e70e205bea1ae4b462d7f5b12a97a3
SHA512 19944b149340817b6cbda4595a1569874509a58a7976cda971b6abc2154ff776bdf8a74623499c84bfa2120494b83239563c6aee91d924211ab7dba548bf971e

/data/data/com.hnjc.dl/databases/hnjcDL.db

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.hnjc.dl/databases/hnjcDL.db-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.hnjc.dl/databases/hnjcDL.db-wal

MD5 e9900ad1a58df6b3c7dcb804368a1b45
SHA1 2e961b26d4131ac097a58b1ac7772625acd6b380
SHA256 a233c9c062205edd125b92f087d0adfce5d775115ef0a4bd0f98fd177b7df575
SHA512 06b34a61b71e73cbb444bee36137a92f8141819f5154112b62d4ca98a3062b8950ba72dd0121141285ab1d2d634661771ae192c9927df36e4d8f576ed7d8270c

/storage/emulated/0/Android/data/com.hnjc.dl/cache/uil-images/journal.tmp

MD5 8c92de9ce46d41a22f3b20f77404cc1d
SHA1 8671a6dca00edb72be47363a7071be65cf270373
SHA256 68bb33ddeed9200be85a71f70b377985f9ee68e91578afbde8321463396f1274
SHA512 30f45fe9954215d6adafcc8f0a060a7ff41963a64f9b849a37f0d18fe045038d429ec13bf15226769c4ba78dad3c52f3d9e0dbbb4fcdea4828a1efe956e48f56

/data/data/com.hnjc.dl/files/umeng_it.cache

MD5 ac033d3f3d8fdd84c4d6184d24e5745b
SHA1 e488265e3e3a8519852f32bcb1fad5d4c3fe7ea3
SHA256 713c4872492ef908ccae1e1eeefe668b4e33152d13e0f41cfbeeadaf0ade5c64
SHA512 c5434fab8a34e301e53698c53915824b02bc80d23928f595b4ffdab4acc1f9122a1acb2397266a272933563a8f8702e4e7666ba90eb3fc815dbad7b80df29afb

/data/data/com.hnjc.dl/files/.umeng/exchangeIdentity.json

MD5 2ce4b3d49be973e5fd1bfd261f15d56b
SHA1 ea59b13bd84236ec420c3f628b0a3761419cd2e6
SHA256 0819f7672a1917ecf87707f66344e91fa8378cdec703fe50e4dc0502a6fb748c
SHA512 224570ecfd8c4f4f3eb0e3d4a1f928e028d7931d27f7b879d4dd79f9f008c8100a4d819c2720ef1da8e6f77e36a9c1dd42909630ff71a1c4e0f69cb0df3be3c6

/data/data/com.hnjc.dl/files/.um/um_cache_1718252340430.env

MD5 62d3605d7cb4fba6211fb93afb6b8f24
SHA1 1e20e183542f988f670ba34d10bfa03873e9eb5f
SHA256 3d9ef90d34c9b0a4d116f63b505848a1871c26c503d97a0e52e03546a655f472
SHA512 ae8ed082b23606e76809ddf4e33f2ff99bd741fe417fe4b816bdfc38d7911dc0f173612dad28991a1e802cc36947aa98db6f9340e903eb8025a2af687989a3e0

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 04:17

Reported

2024-06-13 04:17

Platform

android-x86-arm-20240611.1-en

Max time network

3s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A