Malware Analysis Report

2024-09-09 13:22

Sample ID 240613-h6e5eatajp
Target a465004fcd91973beda26061f059ff54_JaffaCakes118
SHA256 850347bcf79455608014b4dbec62092f0ada6b08da2bfc112bb07254c4e2f2c5
Tags
banker collection discovery impact persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

850347bcf79455608014b4dbec62092f0ada6b08da2bfc112bb07254c4e2f2c5

Threat Level: Shows suspicious behavior

The file a465004fcd91973beda26061f059ff54_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

banker collection discovery impact persistence

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Queries the phone number (MSISDN for GSM devices)

Queries account information for other applications stored on the device

Queries information about running processes on the device

Reads information about phone network operator.

Acquires the wake lock

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Queries information about the current Wi-Fi connection

Requests dangerous framework permissions

Queries information about active data network

Registers a broadcast receiver at runtime (usually for listening for system events)

Uses Crypto APIs (Might try to encrypt user data)

Checks CPU information

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-13 07:20

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 07:20

Reported

2024-06-13 07:23

Platform

android-x86-arm-20240611.1-en

Max time kernel

179s

Max time network

130s

Command Line

com.bxd365.helper

Signatures

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries account information for other applications stored on the device

collection
Description Indicator Process Target
Framework service call android.accounts.IAccountManager.getAccounts N/A N/A
Framework service call android.accounts.IAccountManager.getAccounts N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Description Indicator Process Target
N/A alog.umeng.com N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Processes

com.bxd365.helper

com.bxd365.helper:pushservice

Network

Country Destination Domain Proto
GB 172.217.169.74:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 zhugeio.com udp
CN 121.89.199.110:80 zhugeio.com tcp
US 1.1.1.1:53 apm-collector.qtestin.com udp
US 1.1.1.1:53 rest.bxd365.com udp
US 1.1.1.1:53 alog.umeng.com udp
SG 47.246.109.108:80 alog.umeng.com tcp
US 38.48.139.156:80 apm-collector.qtestin.com tcp
CN 121.89.199.110:80 zhugeio.com tcp
US 1.1.1.1:53 www.bxd365.com udp
GB 142.250.187.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp

Files

/data/data/com.bxd365.helper/databases/crashannals.db-journal

MD5 1246433b9eb0565b1049f8cc199ae91f
SHA1 81873978fd3a79fc6708a5b2e27402e7b58b6647
SHA256 c7ff7b91b2366bd06a2517f6c8b34e017b577be3a462ad71933acaa3bece4bcc
SHA512 fb6bd52c21908315d95da9559bab631cb332420be91c78d0323bd6314a914bd439e05736ded4a2a0de17dbc85db1740ef217dfc90268244ad1d71e64205d0cc2

/data/data/com.bxd365.helper/databases/crashannals.db

MD5 64fb8e4e6cf9656357a3c8e43df489c9
SHA1 19b37ccccbddfb52939827f617fd099d945a6bee
SHA256 ec2b9f3eef04b6d514dc7d3f83b485f19a02c1e32e423a6d13205b2741dfa913
SHA512 baff3de429a1993ffc49dfc3faad71bde6ea37f8fbe155db0d27890b125b0824455bfa346801fe6b24af3fdf5323476e5dd8f9f4081fda90160d7519d0621b09

/data/data/com.bxd365.helper/databases/crashannals.db-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.bxd365.helper/databases/crashannals.db-wal

MD5 56b74048bdfe65c1e446aa765ce39b93
SHA1 2ea06f4af24b3f150f49d698a915437c090e7d06
SHA256 aeeee49ef6edd75468ebc5ab0a496cf80671c189cd527627480d5aa13c9f92f8
SHA512 fbe512d54b1873367da573445f55c339dede7ec6547c41f3a41f208cd26179a269a4b899dcc1679b66bd1af4bcd511075a868065ed5f67ba01b80ea6cb2a62de

/data/data/com.bxd365.helper/files/umeng_it.cache

MD5 07f1a3fe6153d53f87078605299b02a5
SHA1 e932129f99e55aca0b77e046cb2ec35826503fe0
SHA256 d3b65eac7bf61fa5d7aab6836f82c815af7d8325cab91763433935b62597d6e2
SHA512 b6863168e1215beed38dedabd58c8cba9f886628a52c728bb7514dc689d583c181db8217e7aebe5051f77183fd887ae5b02fed36feeffc022a34b4b7fe850b79

/data/data/com.bxd365.helper/databases/pushsdk.db

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.bxd365.helper/files/.imprint

MD5 3ebc9bc83ebfe08e49aa2e7e2a22c28d
SHA1 c2a314c70ffae1de07a2eed4fb9438a04844b627
SHA256 2073ca6e96ff2f2688e811c188423f6cf74f360121ef531a2c101e76c5c571d6
SHA512 ab4d22f71603e40d712d638e520dd6d69ee2e9ab56baa499640f50e501bc892ebdf1de5fc98beba065fab315ad02b6ca25896f4981bfd0ddcb7d662bc68f9bdc

/data/data/com.bxd365.helper/files/umeng_it.cache

MD5 d47ef669c89f5fa7f23a771951e21d57
SHA1 a1c39b8fc3147553d66d043ff52d50ccc2486d70
SHA256 8f6a05db392784c185786bcfd9fdb8f66cfdca087541ab21e23542c78e5f95e5
SHA512 e4d9d360dd4e36095b3acb24217bc29ff273b657d35eb4463783b26eb9c5a3cec777fa67bab0f21856f7ee222dba82e3bc93a5ba5b2837eab3e061f445c75f98

/data/data/com.bxd365.helper/databases/helper.db-journal

MD5 c0697fcbf1e95eee088fa762dca2bb2e
SHA1 163a4e6389890f80065e199e016f377ad524e911
SHA256 d621b1cdf2507cf5fefbd2c9e7708dd4846f7ff86d0b5de9bf654c228e4afbed
SHA512 4a1d183f68521c5452e93bed6e6ada5b085715ad08f08f8e7b1d7d9bec90168b8dbd50fc2f77f2ffae7f323cff0177812073eeb02afadbb66be0c66fad0f67e5

/data/data/com.bxd365.helper/databases/helper.db-wal

MD5 a769f73cdc53c25eee110c9fef10b400
SHA1 abf3d3ee2a413d407430900d6b68797a5783d989
SHA256 76bff90dd9394dc5d0496e7eb2aa195d62403bf2e6b6e5e431784d1736c98067
SHA512 d78f8bb40180d31a60a6f3323edda0cf9929f49b08f6e1cb83038c4917fac95a682b84d0a433e48c83e9da6beda172811618480fa88be75c42ae0cd16dd27ed5

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 07:20

Reported

2024-06-13 07:23

Platform

android-x64-arm64-20240611.1-en

Max time kernel

179s

Max time network

132s

Command Line

com.bxd365.helper

Signatures

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries account information for other applications stored on the device

collection
Description Indicator Process Target
Framework service call android.accounts.IAccountManager.getAccountsAsUser N/A N/A
Framework service call android.accounts.IAccountManager.getAccountsAsUser N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Description Indicator Process Target
N/A alog.umeng.com N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Reads information about phone network operator.

discovery

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Processes

com.bxd365.helper

com.bxd365.helper:pushservice

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 zhugeio.com udp
CN 121.89.199.110:80 zhugeio.com tcp
US 1.1.1.1:53 apm-collector.qtestin.com udp
US 1.1.1.1:53 rest.bxd365.com udp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.177:80 alog.umeng.com tcp
US 38.48.139.156:80 apm-collector.qtestin.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.212.200:443 ssl.google-analytics.com tcp
CN 121.89.199.110:80 zhugeio.com tcp
US 1.1.1.1:53 www.bxd365.com udp
CN 223.109.148.130:80 alog.umeng.com tcp
GB 142.250.187.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
CN 223.109.148.176:80 alog.umeng.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 tcp
CN 223.109.148.179:80 alog.umeng.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
US 1.1.1.1:53 alog.umeng.co udp

Files

/data/user/0/com.bxd365.helper/databases/crashannals.db-journal

MD5 1ec98af2e04392b232e748d5f2b5de32
SHA1 65d8e35305e5e4f56299659c5dbf9b542f1d1d2b
SHA256 eba20e521c839874c1c4b2081b3b2e7e423be90e9a3087c240093ada73d42f1a
SHA512 b9d5ea58595efdeaff9c6494c32a3456bf5e52af80723c6c8594a65db4b6bb03f56a6a801388caa2ca88ed266a85051cf9b237e333e77fe9d68b271b2c2826fa

/data/user/0/com.bxd365.helper/databases/crashannals.db

MD5 83711c426e74713eef541f8734eef3a0
SHA1 d6781382f3773f14c3bf703edf883b42e9083e7f
SHA256 2dedadd105b3c36f2f500d24ca28852c5d173593f5947317b15c4d6cd8a23574
SHA512 00ef03c3372f837af52abe811124ac36fd4accd77d3cc865f58ec198be8de5abd5605ee235fd64123780a01ce7a6359639579c391ad64cefcac66c4bf740edb9

/data/user/0/com.bxd365.helper/databases/crashannals.db-journal

MD5 67fd7e915a08c7f2fa751117b7cc0206
SHA1 6037e0240a322c0d3aec6438a354c2e0d6f00632
SHA256 f6a98970f0fb314219c8e291c3e1230cfa7fe4cdb3ba1393ca3f4572cf3deee8
SHA512 3f54764c9db4164fe91d18b9310b5681c9c9cc5f7203d3703483623d25c010d2a1369f74cacc5df633bab527793f8d2707fbff30ec8727c11fcfe5d4006b753d

/data/user/0/com.bxd365.helper/databases/crashannals.db-journal

MD5 0fc294d41f9212956caa1c61ba3b0a5e
SHA1 cc049e5441866efa58ed15cc61a25c84ea786e48
SHA256 141578dd9d9c57f4d123a7b75c026a276ceb8a8a3ef73f006263d938c776f09c
SHA512 f999f67a9de8a961d89ee727037350c38d02ad7220bee175796b444de7ce6e765c6456a3ef02abf8766e620368240f1ab59591b29006ed6f1be7c804b9d33c6c

/data/user/0/com.bxd365.helper/files/umeng_it.cache

MD5 6c23571c28d83b8ee4bbca90932fb128
SHA1 ee350f1d63a8bea253016014eb014b1b1d1c0fe9
SHA256 8ad8e36659f2b6409267dac7bbec1524928f6749eeae639926666a7f4429028f
SHA512 3fdade847f5df68c19e11c4953c180d8ff213b1925cab92b360b1619cbbd25c98a2209752e90dac63a8c51972f282792b7cc888815c265c66dbc2944800b8ed6

/data/user/0/com.bxd365.helper/databases/pushsdk.db-journal

MD5 3e3aa151c34eebc5a6aade5d94d1b509
SHA1 44ba3232809fd8cfa2231502ddd5cf5207130b5a
SHA256 c96c4644be987ae0cb24ba16f6713f0551a72083cdc0c6ab89d74b784292271b
SHA512 590e74e5ffdfcef31edb325aaf2b488bd5117675bfebf1b2434d8928919a8b4cdc0921cb955da299443322dde13085005ef60daf5f5c704354b5bbf4bfe7e4b8

/data/user/0/com.bxd365.helper/databases/pushsdk.db-journal

MD5 6b55a82436e50f508e2686b68ee76c77
SHA1 1e40f7c0e4d98b352c8c4f79598538fdaedbcefd
SHA256 e9af4cec2af2d5baf691c95668b2944e4decb14f5523fb1b38bbcf7e52d923b7
SHA512 1a9be12300030e0798313a33875ef84fcfa9ef05c9c8053a4c342d61e2c11421cb7e51ef539b74b849ffa38fcf8ec6117bdf7ec1b9235318941f3ff8cf16f6c8

/data/user/0/com.bxd365.helper/databases/helper.db-journal

MD5 9b2f78fe88e1b600945ad0e1c92054ff
SHA1 9e0f64567af5dc0f60407747c5a8415055c6d79d
SHA256 b034de8b9fd8cf983dd6a5f6a50f68d98f800fe221a892c6c45156df36d79497
SHA512 a574ced5b87b4f8653f74c56ad10adafdb6fffcfdd4206f4baf5ac9c2612d7e6b70173cc533b33367574157a48b41e4bba4a2a26c67bfa7afa7f5599593d758f

/data/user/0/com.bxd365.helper/databases/helper.db-journal

MD5 1509658c0177add05985efd6155f1a63
SHA1 b5d711b7598defbbe655d67b2b16977c5a980b9c
SHA256 016355a1c3c14aafe4b613c4fc6779e6dbf40dd3fff10f49a414af9f3cea566f
SHA512 275a84d6275a5e79a955d106a9113a64b4f8e0a968f24dcf05d729494a999377e238a6f360e0f7374fec01a9fe84b54cefd2a1e801c2026d56b5c10984f3dae9

/data/user/0/com.bxd365.helper/files/.um/um_cache_1718263313376.env

MD5 60b1703be32af585118c7f80534c14e2
SHA1 a4891aa0461b6cb0de731954784dc2decb76c668
SHA256 3697343c0513562d8f1135b6bb353ab91e3bd23202a66316311a946e3c6fb2aa
SHA512 ba18d725a83b8d73ae5ade2b48423f518f9514ba19b2687010fe9e5cbd77dfc62a4a78ea129078ed46d0730755eb78916279a8de9b2669b25fe7636ddb2a8f5e