Malware Analysis Report

2024-09-09 17:11

Sample ID 240613-fn643ayepm
Target a3e74485c0722783e16039c78b68507f_JaffaCakes118
SHA256 c15e5e05411c0370a9743e6fd6c5fc42532f9494e8ff218c1a55d58044884172
Tags
banker discovery persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

c15e5e05411c0370a9743e6fd6c5fc42532f9494e8ff218c1a55d58044884172

Threat Level: Shows suspicious behavior

The file a3e74485c0722783e16039c78b68507f_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

banker discovery persistence

Queries information about running processes on the device

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Requests dangerous framework permissions

Acquires the wake lock

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Queries information about active data network

Queries information about the current Wi-Fi connection

Reads information about phone network operator.

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks CPU information

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-13 05:02

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 05:02

Reported

2024-06-13 05:05

Platform

android-x86-arm-20240611.1-en

Max time kernel

178s

Max time network

186s

Command Line

com.sds.android.ttpod.main

Signatures

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Description Indicator Process Target
N/A alog.umeng.com N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A
Framework service call android.app.IActivityManager.registerReceiver N/A N/A
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A
File opened for read /proc/cpuinfo N/A N/A

Processes

com.sds.android.ttpod.main

com.sds.android.ttpod.support

com.sds.android.ttpod.pushservice

Network

Country Destination Domain Proto
GB 172.217.169.74:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.178:80 alog.umeng.com tcp
US 1.1.1.1:53 client.api.ttpod.com udp
US 1.1.1.1:53 adash.m.taobao.com udp
US 47.246.137.207:80 adash.m.taobao.com tcp
US 1.1.1.1:53 collect.log.ttpod.com udp
US 47.246.137.207:80 adash.m.taobao.com tcp
CN 223.109.148.177:80 alog.umeng.com tcp
GB 142.250.187.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.179.238:443 android.apis.google.com tcp
US 1.1.1.1:53 sdk.open.talk.igexin.com udp
CN 183.134.98.102:5224 sdk.open.talk.igexin.com tcp
CN 223.109.148.176:80 alog.umeng.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
CN 183.134.98.102:5224 sdk.open.talk.igexin.com tcp
CN 223.109.148.179:80 alog.umeng.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
US 1.1.1.1:53 alog.umeng.co udp
CN 183.134.98.102:5224 sdk.open.talk.igexin.com tcp
CN 183.134.98.102:5224 sdk.open.talk.igexin.com tcp
CN 183.134.98.102:5224 sdk.open.talk.igexin.com tcp

Files

/storage/emulated/0/.UTSystemConfig/Global/Alvin2.xml

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/storage/emulated/0/.UTSystemConfig/Global/Alvin2.xml

MD5 2c2242156517d9f5315622ecd8ce7953
SHA1 a38f6c473ffd7853138c0b7f7b20ba0d8992acbd
SHA256 4afcc3a7e4ad2d8a3535f259c8e5a0b9eb078842722f884306c038a0c6ad0327
SHA512 18cb70076c15b61f599125bf2fbca63ff48502b247e426f1928867cdc3d5bc0fe93170d96e7dc8a92a433c2317fde66b7dd0874eed040c8cdd7fd3e963273ea9

/data/data/com.sds.android.ttpod/files/umeng_it.cache

MD5 e97675bd0cc0be3265ea61d43ef351f8
SHA1 bef7b8e8c9a7e347bd451643b17878e390cbb3bd
SHA256 b571bd191f85814711f54d26cb1f92f0b954f5233e2b0a0b48b1bfd4ea703e57
SHA512 b63522ffb7b68f90b46f228f6c23b57cea58f995d8a526565e7e7493fdbb5a08aa4403b433734748fbe26685d97f2f79ea61fef6e7d3cac50284f6cf524f4ec6

/storage/emulated/0/.DataStorage/ContextData.xml

MD5 b15b00bf90b7c93b3665eda88fbc4808
SHA1 5d90cbaee0798753afcad7e6555a92d2567dd02a
SHA256 92882182a7ffae56437ee1b2b3a68ddc0594b28c1e3a4254920023015cb4b429
SHA512 cbea5c61e2043c01bbf5b0ba79e45106bf011e29447317a4bc66560afb52177f2268f5fd95d84868152b25b1aa4368256392d24eed3f4fb9a56cb2eaa1b27059

/storage/emulated/0/.DataStorage/ContextData.xml

MD5 acebb384eb168f5e46299bb5de0e6027
SHA1 4439932d76bacbd9bc0ea76d919a5263d7e28399
SHA256 35fa2b75f194df887bf881399fe53d43d1daf3e0101d18fa79b0ab48895ad103
SHA512 24ead818144a17e8a01d14847317d30d6ac786d5860f74d92fedbaf770711a72a7865ab07e7614d38af5ce68f3e7224abf56fc4f98d9f71d770aa972c1cdcd35

/storage/emulated/0/.UTSystemConfig/Global/Alvin2.xml

MD5 f52c6f924f406ee7da8fcd6bae91e785
SHA1 55a14b39d2a19013574b3145cdecf0dfc261b04b
SHA256 9510eb8605a1935906a9356659b97d5f7d57eea750bebf5596178c6a842c87e8
SHA512 61ac4f98686c9d3e0e4efdd94926710f121e6d1c17db1ea8f48dfc3b7f29ad676b76cd09b155f88847e786891c3b469614bc5e9dec1fa04687372b15b16ae117

/data/data/com.sds.android.ttpod/databases/ttpod.db-journal

MD5 f3391b406f3901269d4c07efaa402926
SHA1 70127ed0d6356ef78a88fb710adaa8eec37e4d95
SHA256 207ec1080b9b0c5dcd7ee953dc49a4bc15f3dd9096191cb8fa0d9acfcb8dc175
SHA512 7d118aab274b008e961a3636ce85e4834f4b42f67dded550534fe3b6cdae263d686f8753fcb35f8c9feeccec518501d07c92bd0de12a8c826d58992a3c1858aa

/data/data/com.sds.android.ttpod/databases/ttpod.db-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.sds.android.ttpod/databases/ttpod.db-wal

MD5 3f53a900914557764bf934da0fa2fe8a
SHA1 b21be5e99b135a9c988a1b9d5012bcfd3ef8a15d
SHA256 807092a32f0f16303d3672875ee6668aadd7fdf0e1611bd7e9a528969029aed8
SHA512 c03a06e843c59c8ff1d9c19c838f7b8ce7429beaba33dfbee4c1bcfd0e554e6e9b8635ea15e0bc227b7ad2a82392b14a66c29a8b4529b735e6889269dbf5faad

/storage/emulated/0/ttpod/cache/object/BACKGROUND

MD5 86f953fa5bbccfe91a70b0f4d9972444
SHA1 0b8124f2c9c09c49c0efed401d58b645e3c800ab
SHA256 3fd32e95b1ab6e42b6da349dd059502c469215f4ba077eb42ded0d823aefbbda
SHA512 e024a40463d72dad3e90ddb74263a13eccc9e2ff0b36d450eee7cd79f961a19dc5e645962e42c86185e19fceb7127fe13708cb8408210a63b3a337edfcdc2381

/storage/emulated/0/.UTSystemConfig/Global/Alvin2.xml

MD5 b1b1cd31eaf24b56e05810ed5e41310f
SHA1 066a83acfe747377ca87b46574b4e79be0a8130b
SHA256 d10decf0befdcd79e68de94b1ef242c6fe1910a037b41a5bedee406cc8fcf84e
SHA512 679761b0fcf4f9d90cb9a4144dfe24455c5aa4d9449de5a161fb8d7eda4159622fbad3ce33989e0a7e02b7ad234ee13c2b60bfdd9eba19aa27b25448eea2b4fd

/data/data/com.sds.android.ttpod/databases/search.db-wal

MD5 8948b1c5c474e13937731bb3c5e323b0
SHA1 33d4ba477bc29f40306a1bd84d7c11c2fc76f3a5
SHA256 46265b8613a3684beec4d08829bd27c6b7948f71eb7370c3e504aee1be6bbf01
SHA512 2c04b4a110b59c190c401898df509660c1a836b06bb68a667cd7ee57327b6ea4fab3711ceb0081ce0efadc0b3b8097f5b324ca7fa22fd391d1b2adeab3f89b7b

/storage/emulated/0/Android/data/com.sds.android.ttpod/cache/statistic_1718254960230

MD5 4c053560b18b4461720ab71f9d9e1e06
SHA1 80fc278a63ac39f14ee55ab72553f871047b0582
SHA256 f612276ec7f16a5e0aba050ded46d9f750e4edf05c12af546cd28fa6f062c1eb
SHA512 97c853c6c423834bfbee1bebe371a2c8eebc9bb01acf4f9088b2dbeee01a95d1c0c947a0f4207d2621507cbb2aaede564b309c4e58baba738c4dd8a388b2d5ca

/storage/emulated/0/Android/data/com.sds.android.ttpod/cache/deep

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

/storage/emulated/0/Android/data/com.sds.android.ttpod/cache/statistic_1718254960230

MD5 59ba0901308533bc5c9b6b04fad347ec
SHA1 d619271be615ec7131a0255a0c7f4f4e37b21d62
SHA256 be6b69cebe5ab9f8a631d147ff65ef219102ab7c39e3099710ac84d8f02cbe97
SHA512 ab5f04cb40c6a4f0b73e8df0303fcf452b0638dc423041a0b699a31218d8b37a8e5993fb6a57172871ae4502097d31c83e84ca8b296870cc82b8145db4af8e6f

/storage/emulated/0/Android/data/com.sds.android.ttpod/cache/deep

MD5 c81e728d9d4c2f636f067f89cc14862c
SHA1 da4b9237bacccdf19c0760cab7aec4a8359010b0
SHA256 d4735e3a265e16eee03f59718b9b5d03019c07d8b6c51f90da3a666eec13ab35
SHA512 40b244112641dd78dd4f93b6c9190dd46e0099194d5a44257b7efad6ef9ff4683da1eda0244448cb343aa688f5d3efd7314dafe580ac0bcbf115aeca9e8dc114

/storage/emulated/0/Android/data/com.sds.android.ttpod/cache/statistic_1718254960230

MD5 db7ba2677cf341eee88f5009d2291c11
SHA1 983a1ab01efe650946b4f228e23ccfe0c9961b57
SHA256 fa4ab3a21e06da2fececc6af07ebc8ef15f870f3f8fce5cdaf633add9bf57559
SHA512 62b30d0d5fda4795fe5697c06b0321a6d5f5c48665219f5151a148e3cef954c2ea48a6dcdae918b501f5ae1d04efceb4dbd17310a5c817d94ec7ba3cf57579c8

/storage/emulated/0/Android/data/com.sds.android.ttpod/cache/deep

MD5 eccbc87e4b5ce2fe28308fd9f2a7baf3
SHA1 77de68daecd823babbb58edb1c8e14d7106e83bb
SHA256 4e07408562bedb8b60ce05c1decfe3ad16b72230967de01f640b7e4729b49fce
SHA512 3bafbf08882a2d10133093a1b8433f50563b93c14acd05b79028eb1d12799027241450980651994501423a66c276ae26c43b739bc65c4e16b10c3af6c202aebb

/storage/emulated/0/Android/data/com.sds.android.ttpod/cache/statistic_1718254960308

MD5 390764928ae6a91ba9e41d7a6ad94baf
SHA1 6c32576bb24ae50f6091f99a03aa8e6afdec381a
SHA256 970747ff4a2880a1fdb99a257055c881066e834bc9b023403e1e3b9e94a0d42c
SHA512 d9dc30bb110a66744bf735426b7019ca3cf6e28f39687053b1de09b099ca52fd1f677a84017ec99bbba00ef156d72632bf8d176538c62b3cedec958eb7b47361

/storage/emulated/0/Android/data/com.sds.android.ttpod/cache/statistic_1718254960230

MD5 38299e184f3962cad9132c66dc8c8340
SHA1 cfbd8ca3770d07b8ae16347b6029706b10df6c7c
SHA256 6c37755fdf7496122123f719adf1e31ba9b8a3e123c808d7d7d9c4b5d3b89351
SHA512 623115839e562a1de191b8cdc62c93b1fda5c59580df1e1c199744fb59619f097e4652c9dc4fdf66b40d2c9d47d769d320a81c56df7f0e476cd234305ec8e9d6

/storage/emulated/0/Android/data/com.sds.android.ttpod/cache/deep

MD5 a87ff679a2f3e71d9181a67b7542122c
SHA1 1b6453892473a467d07372d45eb05abc2031647a
SHA256 4b227777d4dd1fc61c6f884f48641d02b4d121d3fd328cb08b5531fcacdabf8a
SHA512 a321d8b405e3ef2604959847b36d171eebebc4a8941dc70a4784935a4fca5d5813de84dfa049f06549aa61b20848c1633ce81b675286ea8fb53db240d831c568

/storage/emulated/0/Android/data/com.sds.android.ttpod/cache/statistic_1718254960230

MD5 7d3472daeecc5d8412ef566634b57c2d
SHA1 9cb6266be6162e81187276cad535083b1f1dca99
SHA256 b095f98f22dbf78fec22c49b095a9d76fca4e3c5018973c20c7f09976c9b162e
SHA512 7963186d90499579e9667d63effb391456f324990a867f1e8be2c6b0158ed1e2764af01d79009f22631fbaff014648ecc3b2037dea7cc6580e4808d18b6fb1ec

/storage/emulated/0/Android/data/com.sds.android.ttpod/cache/deep

MD5 e4da3b7fbbce2345d7772b0674a318d5
SHA1 ac3478d69a3c81fa62e60f5c3696165a4e5e6ac4
SHA256 ef2d127de37b942baad06145e54b0c619a1f22327b2ebbcfbec78f5564afe39d
SHA512 06df05371981a237d0ed11472fae7c94c9ac0eff1d05413516710d17b10a4fb6f4517bda4a695f02d0a73dd4db543b4653df28f5d09dab86f92ffb9b86d01e25

/storage/emulated/0/Android/data/com.sds.android.ttpod/.cache/statisticLongDelayTmp

MD5 86d47389a86fd261db4b90f145b37a9a
SHA1 66534e250d4ec3bc40fbe5917c5c57c20c59b26f
SHA256 201d1ea4f024101db14ed6c5d64c9f4df5259ff9c95a3cfea0ef7af752bb4793
SHA512 a85e4070c66374877ecaa9ddbb92b861d366871bec58d0e6e22511580fd2427bf4e2446d572b309d3d1218553bbfda977deb24d3e67da8cd0b341c9e343f1f3d

/storage/emulated/0/Android/data/com.sds.android.ttpod/.cache/statisticShortDelayTmp

MD5 d751713988987e9331980363e24189ce
SHA1 97d170e1550eee4afc0af065b78cda302a97674c
SHA256 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512 b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af