Malware Analysis Report

2024-09-09 13:21

Sample ID 240613-fmqexsyeln
Target a3e5b3cd344b5490f35522779d842223_JaffaCakes118
SHA256 043cd454f61a9fdcb9b39904fa0380892b63b5520dbe5105a752c3082ac185a5
Tags
banker collection discovery evasion impact persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

043cd454f61a9fdcb9b39904fa0380892b63b5520dbe5105a752c3082ac185a5

Threat Level: Likely malicious

The file a3e5b3cd344b5490f35522779d842223_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

banker collection discovery evasion impact persistence

Checks if the Android device is rooted.

Queries information about the current nearby Wi-Fi networks

Requests cell location

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Queries information about running processes on the device

Queries information about active data network

Requests dangerous framework permissions

Queries information about the current Wi-Fi connection

Uses Crypto APIs (Might try to encrypt user data)

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks CPU information

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-13 04:59

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-06-13 04:59

Reported

2024-06-13 05:03

Platform

android-x86-arm-20240611.1-en

Max time kernel

136s

Max time network

130s

Command Line

tv.pps.flappybirdgamemodule

Signatures

N/A

Processes

tv.pps.flappybirdgamemodule

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp

Files

/data/data/tv.pps.flappybirdgamemodule/databases/gamedata.db-journal

MD5 4e9a961e69d2a9827d6129c94285b49b
SHA1 d0d46398658679fd92042d5e802efb1835300010
SHA256 fb593b828942dab5ea08548fc6b7c9ff80ad0231e374f9ab63df36528d9dedae
SHA512 cbfebe08b902d764c646f4d6106a56e9f3f06b13549fba3c4e2539c3baac2e13e1e902087e89fd82961df6d6e0b23f0faec01a463c1ddf1846c828a7151f2572

/data/data/tv.pps.flappybirdgamemodule/databases/gamedata.db

MD5 ad65a21ee951f12443ef223dd1c18b1d
SHA1 9eda830b493ada1ef88387f05688312b6d3513bd
SHA256 ade81fb5b392b2d3bf6ade4b159d1d59d3e202767429e9037ca4246d286b42a4
SHA512 38e2c6fcfa09d2acbdafc19c437dc724ee9c17e8d10ca6275432d2fcfa61eeea8e02291df9afd0d9949c430dcfee2c21ef4bdfea4ba2a807876e5010d4c61285

/data/data/tv.pps.flappybirdgamemodule/databases/gamedata.db-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/tv.pps.flappybirdgamemodule/databases/gamedata.db-wal

MD5 1f764d62d0ac4ad0e8cdbd5037a59395
SHA1 f63a2143b25972a674a495ab205a7d95e7f8f52f
SHA256 fdd2f2247383a968764ba8adf797c8669475d44a4eb5979a7ee8b47ef9b2eef1
SHA512 5be9980b5ceb5f295e124436e6501290baa354634709766a8045a20d4bdc2965b542106da7699b4c08174eb31ed08128cbd374e1599a8c17b539254b57726527

Analysis: behavioral5

Detonation Overview

Submitted

2024-06-13 04:59

Reported

2024-06-13 05:02

Platform

android-x86-arm-20240611.1-en

Max time network

3s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
GB 172.217.169.74:443 tcp
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-06-13 04:59

Reported

2024-06-13 04:59

Platform

android-x64-20240611.1-en

Max time network

5s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-06-13 04:59

Reported

2024-06-13 04:59

Platform

android-x64-arm64-20240611.1-en

Max time network

6s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
GB 142.250.187.206:443 tcp
GB 142.250.187.206:443 tcp
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 04:59

Reported

2024-06-13 05:03

Platform

android-x86-arm-20240611.1-en

Max time kernel

7s

Max time network

180s

Command Line

tv.pps.mobile

Signatures

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /system/bin/su N/A N/A
N/A /system/xbin/su N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about the current nearby Wi-Fi networks

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getScanResults N/A N/A

Requests cell location

collection discovery evasion
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getCellLocation N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Processes

tv.pps.mobile

df

mount

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 list1.ppstream.com udp
US 1.1.1.1:53 listso.m.areainfo.ppstream.com udp
US 1.1.1.1:53 hmma.baidu.com udp
HK 103.235.47.161:80 hmma.baidu.com tcp
US 1.1.1.1:53 m.irs01.com udp
CN 113.207.90.44:80 list1.ppstream.com tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.179.238:443 android.apis.google.com tcp
CN 113.207.90.46:80 list1.ppstream.com tcp
GB 216.58.212.202:443 tcp
CN 113.207.90.56:80 list1.ppstream.com tcp
CN 113.207.90.42:80 list1.ppstream.com tcp
CN 113.207.90.44:80 list1.ppstream.com tcp
CN 113.207.90.46:80 list1.ppstream.com tcp
CN 113.207.90.56:80 list1.ppstream.com tcp
CN 113.207.90.42:80 list1.ppstream.com tcp
CN 113.207.90.44:80 list1.ppstream.com tcp

Files

/storage/emulated/0/Android/data/tv.pps.mobile/cache/ContentCache/journal.tmp

MD5 8c92de9ce46d41a22f3b20f77404cc1d
SHA1 8671a6dca00edb72be47363a7071be65cf270373
SHA256 68bb33ddeed9200be85a71f70b377985f9ee68e91578afbde8321463396f1274
SHA512 30f45fe9954215d6adafcc8f0a060a7ff41963a64f9b849a37f0d18fe045038d429ec13bf15226769c4ba78dad3c52f3d9e0dbbb4fcdea4828a1efe956e48f56

/data/data/tv.pps.mobile/databases/pps_user_data.db-journal

MD5 d69aca86eb3a7949dd6db5de4210cbc3
SHA1 4a046f5ee7339d931b9639362109b95e27e64e40
SHA256 170c5d1d318fd9835f50dcdd432500a0f457e61a9a36a08a0f8ead1909824456
SHA512 61923c527ca22d492ea5ba6828ab2d913389e7df7c00123c231f16868817d11ea324552f83dfd95c30644ac5ae4a56dfb7b9b3e4f8a618b79a88e705a76e1f73

/data/data/tv.pps.mobile/databases/pps_user_data.db

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/tv.pps.mobile/databases/pps_user_data.db-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/tv.pps.mobile/databases/pps_user_data.db-wal

MD5 5eed07e933a89e2061d7fbc23f54c47a
SHA1 407ae92d0905bbc65fea9b88508b7a93a05bd002
SHA256 98b378fa09447ab5d85ef5405bbfbf38956c4977b23e7fce0e4fd7be0686fc57
SHA512 5c64b8c592d4b5375343daa1814ad930305dc39e5a8b8e43209d53bd57bc4ee89987d0a5a2d11de163b71cba1425a2b1fc1d9b7e545ed54c14834cd339dd907b

/storage/emulated/0/baidu/.cuid

MD5 7789e838274069e94245b2cea89795d8
SHA1 acff1ba1c6441baeaa2420f25fdf540e19e07bb6
SHA256 0a8497a23683dcbbbd97d936967d7e5fe0d1e879229c30f615dcaa08a0dc38ef
SHA512 42406aa0a92e280129aa2d06a8c956db2c9564a0059bc12d9dc39e29015c309edbe4b73030c0a166cd5943a8851152771884db5c912339b90cf0727c6cd34494

/storage/emulated/0/.pps/uuid.data

MD5 61c90f4a35b254a11225d499a9e70cfd
SHA1 a215eb0bd645e8a85019d1de2eb37285bed25b15
SHA256 250db5e501fa9e84764206fdcab8ac1792df0c62f1675733e89d5eea5978653d
SHA512 ced4986a7ddf3d22dec07f56b8c30da52ff9635ea7b9b54f4b0ae293054a849f13a045d0a935fbbd0764f9fea7f2a72a1720f5613308825b40026e20ab4896f2

/storage/emulated/0/.pps/parnter.data

MD5 7658a8e6e19f7abccea76cab9f13567b
SHA1 9ede6b2b3cf3e310c586b466ccee3ede765d1699
SHA256 033a89cca6ef3da3b5586a0c16b9d553cda697ac9bf2b32de96a1bd803b1e654
SHA512 c960d4738efd0f1dfefa5399e59c16923293127fa7a1a0d53fae6e84c82dd4900cffbd82e0f66ad2a7a7699ea3720b5b44df726aa90165ee85158b6d832df321

/data/data/tv.pps.mobile/databases/_ire-journal

MD5 2ba097bc962de50c8a3cbdfc81de496d
SHA1 c5278f780e90fed5be52a0ff1c7bbab052972369
SHA256 92426c7834c8981be07dbd927cb740eebbaf7531df020680f76599c85d87602c
SHA512 e8b8808ffb913e6b38d4849e753dde97a195eaa8ec886bc062474b0bc7219c80e1fbdfefce9f895773878a0346b1f60543157d5f458df5b0c14b8e31c2d71725

/data/data/tv.pps.mobile/databases/_ire-wal

MD5 14cf41fb17376261f5caf17722e886c0
SHA1 0bd39f628fc64312b7d1b6bad0d98d887498d71a
SHA256 9e0be8050a744b390cc23eb92779cb1a8a57c7f4a3bf2bf026fb9a64fd6dc5f8
SHA512 338c4385ffe06d2f92ae01bcd508c976feb8fed902d80df022d230e77efc1d90bd1ef4714e7de350ad4666d16d9b45919c6a20bf9c7ee5f9cbe865ea9d1394b1

/data/data/tv.pps.mobile/files/__local_stat_cache.json

MD5 2d805b13f2f28dc3ca9bbcc000f49bb5
SHA1 9eac165b4d81258fd3967cde5cc53b53b1dabcb1
SHA256 c8a6624f390568f0ddcb9841336aec6a564460fdaf6624e562b32935b8956f19
SHA512 5db8c57bab36bcf9db698c1dce70318cbffc156dd1d1c1e09e5b7ba60aff07b598ebbf26c4bd8a2b03bd6e59ef2dde2d944a22a8d8a19ecc8378e83afb7c83b0

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 04:59

Reported

2024-06-13 05:00

Platform

android-33-x64-arm64-20240611.1-en

Max time network

8s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
GB 172.217.16.228:443 udp
GB 172.217.16.228:443 udp
GB 216.58.212.196:443 tcp
N/A 224.0.0.251:5353 udp
GB 142.250.187.202:443 udp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-13 04:59

Reported

2024-06-13 05:03

Platform

android-x86-arm-20240611.1-en

Max time kernel

3s

Max time network

170s

Command Line

com.alipay.android.app

Signatures

Requests cell location

collection discovery evasion
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getCellLocation N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Processes

com.alipay.android.app

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp

Files

N/A