Malware Analysis Report

2024-09-09 17:51

Sample ID 240613-janx4stbln
Target a46c186e760bf7960be0b99d3da341d4_JaffaCakes118
SHA256 ac495363199b70ef6639d73ab64856d378df66b41ca1ac3069ba8c977919265a
Tags
discovery evasion impact persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

ac495363199b70ef6639d73ab64856d378df66b41ca1ac3069ba8c977919265a

Threat Level: Shows suspicious behavior

The file a46c186e760bf7960be0b99d3da341d4_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery evasion impact persistence

Loads dropped Dex/Jar

Queries information about active data network

Requests dangerous framework permissions

Registers a broadcast receiver at runtime (usually for listening for system events)

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-13 07:28

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 07:28

Reported

2024-06-13 07:31

Platform

android-x64-arm64-20240611.1-en

Max time kernel

2s

Max time network

132s

Command Line

com.hawsoft.mobile.speechtranspro

Signatures

N/A

Processes

com.hawsoft.mobile.speechtranspro

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.16.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.179.238:443 android.apis.google.com tcp
GB 216.58.201.100:443 tcp
GB 216.58.201.100:443 tcp

Files

/data/user/0/com.hawsoft.mobile.speechtranspro/.jiagu/libjiagu.so

MD5 f7f5e960db0c8a6f3b5b8d1a0427a042
SHA1 a8b623f9f87a6e785508befe07314da2fa903bfa
SHA256 17ac5b03f2a51ebdf2cce66314bc8e3e1547bfa0dde61357fcc07768aaaecb3c
SHA512 ec889d1d9428cdbac082d0b5ab81cf33ac417874a416daf27b02af3d207b1b02ed794fc0b3f0ea266c8edaf3bfeb8f3cef7c631af689405fa629fee948ae8cba

/data/user/0/com.hawsoft.mobile.speechtranspro/.jiagu/libjiagu_64.so

MD5 0733255e286b6e6dbaba9cd897e6d6a9
SHA1 f7050b691709a83633b7d3cde1b91bd6fff1c2b0
SHA256 8ebf467743eb1ac1c31eee127d4d37e3109c23b856e7de94de04a11f8b9f6432
SHA512 c3349d02dbdb02e3c0bcf52a752df5f142866aedfedca01cfd52a37166b50acd5159488260ee8f43a7b59da1288dc50bbabb6845a67135c919de1083ef9d678f

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 07:28

Reported

2024-06-13 07:31

Platform

android-x86-arm-20240611.1-en

Max time kernel

18s

Max time network

138s

Command Line

com.hawsoft.mobile.speechtranspro

Signatures

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/data/com.hawsoft.mobile.speechtranspro/.jiagu/classes.dex N/A N/A
N/A /data/data/com.hawsoft.mobile.speechtranspro/.jiagu/classes.dex!classes2.dex N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.hawsoft.mobile.speechtranspro

chmod 755 /data/user/0/com.hawsoft.mobile.speechtranspro/.jiagu/libjiagu.so

/system/bin/dex2oat --instruction-set=x86 --dex-file=/data/data/com.hawsoft.mobile.speechtranspro/.jiagu/classes.dex --dex-file=/data/data/com.hawsoft.mobile.speechtranspro/.jiagu/classes.dex!classes2.dex --oat-file=/data/data/com.hawsoft.mobile.speechtranspro/.jiagu/oat/x86/classes.odex --inline-max-code-units=0 --compiler-filter=speed

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 www.hawsoft.com udp
US 163.181.154.239:80 www.hawsoft.com tcp
US 1.1.1.1:53 translate.google.cn udp
GB 142.250.180.3:443 translate.google.cn tcp
GB 142.250.187.238:80 android.clients.google.com tcp
GB 142.250.187.238:80 android.clients.google.com tcp
GB 142.250.187.238:80 android.clients.google.com tcp
GB 142.250.187.238:80 android.clients.google.com tcp
GB 142.250.187.238:80 android.clients.google.com tcp
GB 142.250.187.238:80 android.clients.google.com tcp
GB 142.250.187.238:80 android.clients.google.com tcp
GB 142.250.187.238:80 android.clients.google.com tcp
GB 142.250.187.238:80 android.clients.google.com tcp
GB 142.250.187.238:80 android.clients.google.com tcp
GB 142.250.187.238:80 android.clients.google.com tcp
GB 142.250.187.238:80 android.clients.google.com tcp
GB 142.250.187.238:80 android.clients.google.com tcp
GB 142.250.187.238:80 android.clients.google.com tcp
GB 142.250.187.238:80 android.clients.google.com tcp
GB 142.250.187.238:80 android.clients.google.com tcp
GB 142.250.187.238:80 android.clients.google.com tcp
GB 142.250.187.238:80 android.clients.google.com tcp
GB 142.250.187.238:80 android.clients.google.com tcp
GB 142.250.187.238:80 android.clients.google.com tcp
GB 142.250.187.238:80 android.clients.google.com tcp
GB 142.250.187.238:80 android.clients.google.com tcp
GB 142.250.187.238:80 android.clients.google.com tcp
GB 142.250.187.238:80 android.clients.google.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp

Files

/data/data/com.hawsoft.mobile.speechtranspro/.jiagu/libjiagu.so

MD5 f7f5e960db0c8a6f3b5b8d1a0427a042
SHA1 a8b623f9f87a6e785508befe07314da2fa903bfa
SHA256 17ac5b03f2a51ebdf2cce66314bc8e3e1547bfa0dde61357fcc07768aaaecb3c
SHA512 ec889d1d9428cdbac082d0b5ab81cf33ac417874a416daf27b02af3d207b1b02ed794fc0b3f0ea266c8edaf3bfeb8f3cef7c631af689405fa629fee948ae8cba

/data/data/com.hawsoft.mobile.speechtranspro/.jiagu/classes.dex

MD5 d0b7202efeb6bee8a5afb6297df81d72
SHA1 697cde476cb1dfe9a47735905fd5d099a1b706b5
SHA256 5e18323b2b2077801ef8362f3282dae9c1b3a88475f87a4e0c5e5298e017b4de
SHA512 4d81e3a9c7f2dc58a54e70bc70ade8980260b0a63cfb2b4a210835ec28c5f39d54872083d506bf7063279ab9cd9e56062f5986f4790519788de5a0662a45b59e

/data/data/com.hawsoft.mobile.speechtranspro/.jiagu/classes.dex

MD5 307ba6e9a7b07b6e5638d8307f70e5c2
SHA1 b842c091aa372676f400eb6cf8712a9390b17985
SHA256 3076109fcedee1b883cb792b9002f22f08c0d6e94442a52807dd0a64a56c52ef
SHA512 6a98ae3c702283671ef027d4da5f432ff17a233eb5c6bf93b19d55b9a32025603b67b8271317f61f659edfabac48910956ce9e706627336c45c2da0a2d382e1b

/data/data/com.hawsoft.mobile.speechtranspro/.jiagu/classes.dex!classes2.dex

MD5 a417924065c5b782a0b6edeaaf434508
SHA1 54b1392e679a00bec9e2dfc67731084dc20f6df8
SHA256 942c05452e32dadef583eaf6ff6cf08a0fd4487ade2a932e4e2512b135aa0b50
SHA512 4441a2b6d87fbb1ec7863b169cc784d187622a722ea0595255742cc6d6f516d5e6f917e95d5ea853faa7f10ffc401eca038a32d2bfa3844f1687d41ca5f99aab

/data/data/com.hawsoft.mobile.speechtranspro/databases/HAWSPEECHTRANS

MD5 99e15a6be2fc42640cebe5f57fdaf820
SHA1 16aa400bfac3cfeb670630589e691bc3fa62c4ee
SHA256 f7b35fd979583865fca867252d3cd050a6cf86be1f3b00c5566af4ad6f10a07a
SHA512 3052ab79c10f5b78ac2ebb74bdcbca530912662a7f962c411b55a0be7458a06d5d48ce71af5e80f36dc95904e49df6418c924b8902c9b338a4c1d254addfc1b8

/data/data/com.hawsoft.mobile.speechtranspro/databases/HAWSPEECHTRANS-journal

MD5 f9e20cac0d011cd5f8c6f77fbb6167f5
SHA1 494eee74b59ff84862923d8ca84ff1675c614c00
SHA256 19891626b85358a8f20033af20aa2dfe686d5948005586f21e5bd68914e7c379
SHA512 365ac937b67318564ba85dc10f9a3458c054e2d9483ac0cfa8a68a4f9a0e3b77a08583bb73f8d63788349b17bfbf33521555cd16013f591e997c4f5e940348bb

/data/data/com.hawsoft.mobile.speechtranspro/databases/HAWSPEECHTRANS

MD5 c76cabc8947effc4de51f39b167145a2
SHA1 730b68b0d27dbd59d0ebb94220b58bdd559ccd53
SHA256 fea6632554e00e79ba6056c50e58fce2296e7cb2d568581c94f20129f7cd1ae6
SHA512 f8fc039f7339405cdd3e7065e8f6861b7b3cf4e564af2c3c9891ef7b792e716758ea0951fa2b52db8f2613370c01d51d3c214974beb5876f4c31ac024fafebf2

/data/data/com.hawsoft.mobile.speechtranspro/databases/HAWSPEECHTRANS-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.hawsoft.mobile.speechtranspro/databases/HAWSPEECHTRANS-wal

MD5 537d1df9c98b6a44ce31aa448a863492
SHA1 ce7a7316bb92c9759d7a9c68035c96225e197266
SHA256 729f8064c7b18cb33952be3c2ba98449190e8cbfb359cc2129852f516151ee46
SHA512 59cf76c4a29e1098c9c28df7d6049d03e14353ec2347e5bae8e0fd3b380dc9a0d27056f38dab9136f9fe8470c0529ee618efeb43bf6aef6f9218d723afcbb9a1