Malware Analysis Report

2024-09-09 17:12

Sample ID 240613-h18vjayeqg
Target a45e9996d5673816ef03b1358c921d89_JaffaCakes118
SHA256 d06182a075410061e1d610ca4f77a569dc076b3b600458c5e566f83a01ced722
Tags
banker discovery evasion
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

d06182a075410061e1d610ca4f77a569dc076b3b600458c5e566f83a01ced722

Threat Level: Shows suspicious behavior

The file a45e9996d5673816ef03b1358c921d89_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

banker discovery evasion

Loads dropped Dex/Jar

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Requests dangerous framework permissions

Reads information about phone network operator.

Checks CPU information

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-13 07:13

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 07:13

Reported

2024-06-13 07:16

Platform

android-x86-arm-20240611.1-en

Max time kernel

4s

Max time network

150s

Command Line

com.android.limited

Signatures

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /storage/emulated/0/Android/data/ed/cd.zip N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Reads information about phone network operator.

discovery

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Processes

com.android.limited

Network

Country Destination Domain Proto
GB 142.250.180.14:443 tcp
N/A 224.0.0.251:5353 udp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp

Files

/storage/emulated/0/Android/data/ed/cd.zip

MD5 03db337b15fe3801746557d98ec931c7
SHA1 df9e88b2bceaf3727bd71055a4fdd498c352ad25
SHA256 301f399ae1ae63576f03b0446f5da242d136e7bbd4a227214d9ea6f729f0eabf
SHA512 526fdc681719aa5d740e83aae98912dff21afb595921312e77b84d9ea0ecf2ddc563728e8bc283560c8bd3d50716ad06fad6c77311aa76389550af0762f5c935

/storage/emulated/0/Android/data/ed/cd.zip

MD5 0e670f5ae0a2fea879d1308aba7548c9
SHA1 08763cafd6bf652bd68cf0e7d2c5afd728a41e5f
SHA256 a3d333a2bc9251d734540253fb0901189ea7dfbb9da7baf9d9ff39aff855e4c2
SHA512 f96c946b6bbaaa9f275a8b8921aae3c77d8ee20651ede833cf99cce7345d9691f77ea070a1cd4c1964bb6c4c728b02dddcff97e2910f12029ab0af4a9337e6f1