Malware Analysis Report

2024-09-09 13:22

Sample ID 240613-hhtb5asbpp
Target a4436a777cd222803316ce6c71619302_JaffaCakes118
SHA256 e290d1f43acd117b4d015d037fb080680b2653dd91ef698470cc99df08632f81
Tags
collection discovery evasion persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

e290d1f43acd117b4d015d037fb080680b2653dd91ef698470cc99df08632f81

Threat Level: Likely malicious

The file a4436a777cd222803316ce6c71619302_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

collection discovery evasion persistence

Checks if the Android device is rooted.

Requests cell location

Makes use of the framework's foreground persistence service

Queries information about the current Wi-Fi connection

Requests dangerous framework permissions

Queries information about active data network

Queries the mobile country code (MCC)

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks memory information

Checks CPU information

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-13 06:44

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 06:44

Reported

2024-06-13 06:47

Platform

android-x86-arm-20240611.1-en

Max time kernel

67s

Max time network

159s

Command Line

tv.pps.tpad

Signatures

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /system/bin/su N/A N/A
N/A /system/xbin/su N/A N/A

Requests cell location

collection discovery evasion
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getCellLocation N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

tv.pps.tpad

df

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 dy.ugc.pps.tv udp
US 1.1.1.1:53 www.baidu.com udp
CN 183.240.99.202:80 www.baidu.com tcp
CN 183.240.99.24:80 www.baidu.com tcp
GB 216.58.201.110:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.212.206:443 android.apis.google.com tcp
US 1.1.1.1:53 www.baidu.com udp
CN 183.240.99.24:80 www.baidu.com tcp
CN 183.240.99.202:80 www.baidu.com tcp
CN 183.240.99.24:80 www.baidu.com tcp
CN 183.240.99.202:80 www.baidu.com tcp
CN 183.240.99.24:80 www.baidu.com tcp
CN 183.240.99.202:80 www.baidu.com tcp
US 1.1.1.1:53 www.baidu.com udp
CN 183.240.99.24:80 www.baidu.com tcp
CN 183.240.99.202:80 www.baidu.com tcp
US 1.1.1.1:53 www.baidu.com udp
CN 183.240.99.24:80 www.baidu.com tcp
CN 183.240.99.202:80 www.baidu.com tcp
CN 183.240.99.24:80 www.baidu.com tcp
CN 183.240.99.202:80 www.baidu.com tcp

Files

/storage/emulated/0/.pps/uuid.data

MD5 61c90f4a35b254a11225d499a9e70cfd
SHA1 a215eb0bd645e8a85019d1de2eb37285bed25b15
SHA256 250db5e501fa9e84764206fdcab8ac1792df0c62f1675733e89d5eea5978653d
SHA512 ced4986a7ddf3d22dec07f56b8c30da52ff9635ea7b9b54f4b0ae293054a849f13a045d0a935fbbd0764f9fea7f2a72a1720f5613308825b40026e20ab4896f2

/storage/emulated/0/.pps/parnter.data

MD5 125d74905933bf990b1225d6b834d224
SHA1 5cbd34d3d2204fd53faed1c50a6bd1f59d917ce6
SHA256 339fdb2ea2a116ae902e65c4311fccadba527b25351ecb5743f6f9f3c71002ea
SHA512 faad29f0f392ee31aa5b00b4190fb0ee9ca0dcf037599d8f8009e81c760bb854a74564d82c0b0efae8ef1edbe96352756eb1691b5c5604917b9b982f7abef16d

/data/data/tv.pps.tpad/databases/pps_user_data.db-journal

MD5 c11aee09f0ace08a9194215aaff07f7e
SHA1 c2285535aeaebe9d6ae34d64d09f72dd7f405fb3
SHA256 2820ff5731d8c99ef871c4403dd9c6d1bc01609b0e1488632aa15a0c66fa4a58
SHA512 5c82981b3d6120b8015ddd8f3b49e5f2f720b1ab0cb0402cae9a3a2b683d8164d08c354a45ca398d5798e0c6208dd26b289cae239f41cbcedb6371a3f0d9c3a9

/data/data/tv.pps.tpad/databases/pps_user_data.db

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/tv.pps.tpad/databases/pps_user_data.db-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/tv.pps.tpad/databases/pps_user_data.db-wal

MD5 6f7dfe6c37d31d231cd6b3e8930c4a52
SHA1 4f716dc8e38507750549671bab8b42cf271d8fcf
SHA256 9f7b3c06d8d6e69926cec5efd31db1ffd10b6b770a7defe02ad92a0de5a8d09f
SHA512 aa3eb41599fcf0af0b51770430191b71d034ef93a7886262816f10e7d525db485d9bbed137a25a872fd7a645973caa11af67d6710fda04498188493cad7accca

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 06:44

Reported

2024-06-13 06:47

Platform

android-x86-arm-20240611.1-en

Max time kernel

3s

Max time network

148s

Command Line

com.alipay.android.app

Signatures

Requests cell location

collection discovery evasion
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getCellLocation N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Processes

com.alipay.android.app

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 216.58.212.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.178.14:443 android.apis.google.com tcp

Files

N/A