Malware Analysis Report

2024-09-09 17:12

Sample ID 240613-jdajwszalh
Target a470e12ec017b6095f02a424ab660322_JaffaCakes118
SHA256 e79028da09d29657c559f62f8277bdf2fcaeaf33052494e1a50e46da3a9fb3f4
Tags
banker discovery evasion persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

e79028da09d29657c559f62f8277bdf2fcaeaf33052494e1a50e46da3a9fb3f4

Threat Level: Shows suspicious behavior

The file a470e12ec017b6095f02a424ab660322_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

banker discovery evasion persistence

Loads dropped Dex/Jar

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Queries information about running processes on the device

Queries information about the current Wi-Fi connection

Requests dangerous framework permissions

Makes use of the framework's foreground persistence service

Queries information about active data network

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks memory information

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-13 07:32

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to collect component usage statistics. android.permission.PACKAGE_USAGE_STATS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to see the number being dialed during an outgoing call with the option to redirect the call to a different number or abort the call altogether. android.permission.PROCESS_OUTGOING_CALLS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 07:32

Reported

2024-06-13 07:35

Platform

android-x86-arm-20240611.1-en

Max time kernel

15s

Max time network

137s

Command Line

com.lionmobi.flashlight

Signatures

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.lionmobi.flashlight/files/.cache_dir/lion_pd_bc.png.dex N/A N/A
N/A /data/user/0/com.lionmobi.flashlight/files/.cache_dir/lion_pd_bc.png.dex N/A N/A
N/A /data/user/0/com.lionmobi.flashlight/files/.cache_dir/lion_pd_bc.png.dex N/A N/A
N/A /data/user/0/com.lionmobi.flashlight/files/.cache_dir/lion_pd_bc.png.dex N/A N/A
N/A /data/user/0/com.lionmobi.flashlight/files/.cache_dir/lion_pd_bc.png.dex N/A N/A
N/A /data/user/0/com.lionmobi.flashlight/files/.cache_dir/lion_pd_bc.png.dex N/A N/A
N/A /data/user/0/com.lionmobi.flashlight/files/.cache_dir/lion_pd_bc.png.dex N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.lionmobi.flashlight

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.lionmobi.flashlight/files/.cache_dir/lion_pd_bc.png.dex --output-vdex-fd=43 --oat-fd=44 --oat-location=/data/user/0/com.lionmobi.flashlight/files/.cache_dir/oat/x86/lion_pd_bc.png.odex --compiler-filter=quicken --class-loader-context=&

com.lionmobi.flashlight:kernel

com.lionmobi.flashlight:base

com.lionmobi.flashlight:base

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ad.lionmobi.com udp
US 1.1.1.1:53 graph.facebook.com udp
GB 157.240.221.18:443 graph.facebook.com tcp
US 1.1.1.1:53 parameter.lionmobi.com udp
US 1.1.1.1:53 api.mobula.sdk.duapps.com udp
US 35.166.150.15:80 api.mobula.sdk.duapps.com tcp
US 1.1.1.1:53 data.flurry.com udp
US 74.6.138.67:443 data.flurry.com tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp
US 1.1.1.1:53 analysis.lionmobi.com udp

Files

/data/data/com.lionmobi.flashlight/files/.cache_dir/lion_pd_bc.png.dex

MD5 0aaf492ff92a716417f353e815d64030
SHA1 42c004b8c72d03effc18b43dc9a28aca4e356208
SHA256 149b7b73727978a7e8608f65c61632cd84978dd394781d82f5ebb512eaa7e237
SHA512 953a5eebbe9ecd5c1d66027deb586639a2fc119de7ac799755c69e51f3fcaa54cc76ad8ecacab68d7c3fd79dcd60caf9580badd1a64501808a71f2ca761968af

/data/data/com.lionmobi.flashlight/files/.cache_dir/lion_pd_bc.png.dex

MD5 3cd506e34981012bfc51a04252b4db7e
SHA1 88b391c28f6fc58d1032d75fa517aca60139f88d
SHA256 d441e4c52082c4f4193e90d3e72fb1fe679957bda81e75540fd4c11ca4cc0e32
SHA512 a42fdf804150a69163af090a53d60b39154c11e20f8f545fc420fc6a66d5292a1fb156bde96cdec3f94ef1b50cc3b137aabfaa5c1d569f3293efdf3bb9b5bc17

/data/user/0/com.lionmobi.flashlight/files/.cache_dir/lion_pd_bc.png.dex

MD5 78e7a6084a5db938f21a185d0db233bc
SHA1 af09f26da2657fadd2cfcd5bf5f1c3b98f8486bf
SHA256 dc612099823b75f39abdc552ba1f5a57cfc252bfb2d558c379d84865f8299686
SHA512 dda071bfa50f35b81dfa7a9199f6b1ad07f21ddf95221a47eb8ce58890b4eb8ecb90382dbf645b10286b61dc8ac84181ce2103a79788c6db42227f4b78927be4

/storage/emulated/0/Android/data/com.lionmobi.flashlight/cache/uil-images/journal.tmp

MD5 8c92de9ce46d41a22f3b20f77404cc1d
SHA1 8671a6dca00edb72be47363a7071be65cf270373
SHA256 68bb33ddeed9200be85a71f70b377985f9ee68e91578afbde8321463396f1274
SHA512 30f45fe9954215d6adafcc8f0a060a7ff41963a64f9b849a37f0d18fe045038d429ec13bf15226769c4ba78dad3c52f3d9e0dbbb4fcdea4828a1efe956e48f56

/data/data/com.lionmobi.flashlight/databases/power_light_db_name.db-journal

MD5 afc1dbef928731d389b98c6e3f9cb225
SHA1 9e0d3b97459422ea49c8d8163afe16ad7ccd426c
SHA256 fe1e929c3976b611ec31d888b97460b100fdd3baf821795c98439776f725ef37
SHA512 890724d9fb720640a5265369fc462175c785cc718ae1e04f3dff9825c5da2a22251b7520c70bc4c4160f5d41655543b2e77c71f14c62bb4ff30c5df1d39f06df

/data/data/com.lionmobi.flashlight/databases/power_light_db_name.db

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.lionmobi.flashlight/databases/power_light_db_name.db-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.lionmobi.flashlight/databases/power_light_db_name.db-wal

MD5 e117a4510e9fd2246d2422010b088263
SHA1 bc9ab7f5fa9799e587fb215c399ef2dd217a75b3
SHA256 04a7dda95d9a363c248dc55edac99e6d8bc8fb87a86171ffbc8c1da8921c5392
SHA512 121e0b1b4f81291a0b4290372043cdd4f452dfd94651678b2041b294a35a30ed513ccd1244b2d698db3274c1c0f17809774e7d536f32c967c1ae8cb6cea22918

/data/data/com.lionmobi.flashlight/databases/http_auth.db-journal

MD5 cd616b0358908ce71e6574d416c0b3be
SHA1 cd78596de13de62df09dd89b30cbbbf8ed869211
SHA256 4b901de75bbeb0aec1dfe6c8d39fbffcc925cf2602c94a8071697b43d9073649
SHA512 0acc5ffc098d4053d33186b0980addaec45295015fed3fdd527c4e0ccaa9a463a952232d24b41c689afab248a57249e9a3619d44e1ff42766bad069a3adb5164

/data/data/com.lionmobi.flashlight/databases/http_auth.db-wal

MD5 1214f2d7d8acd7c45c0e93b0e34c4e09
SHA1 6fd90de31e84822b2e73ca3cc31d13acb43148b2
SHA256 5679287ab632a4a7c7045f1f36874ebf27d53a974661a7d5d26335411183199b
SHA512 4b61a9d005fe4b0765c931f5b48624c4bf032405ce7eec5806f5a5732f973350fd2891cffe360277e1229f2542c1ff360fc7a129800af08f0e775d270fedd8d2

/data/data/com.lionmobi.flashlight/files/.yflurryreport.5912487a647f0a42

MD5 3438f013c0ffea587255f51385012764
SHA1 57f0381260712f07a647c5ccf14e9d76e26970fa
SHA256 712418498e0cbe64fc25e4d4b9c66184a3651514c47d8f08ca9f3c59276058ea
SHA512 205540549ce04968415e37ed059c712977624274de672b28509552a2995b09b10cb486990bfa719e45eb9eb5b14dc1e11c41a4f82ce7934767cfb862bb3d52a9

/data/data/com.lionmobi.flashlight/files/.yflurrydatasenderblock.bdaee797-47af-4555-a395-7a726737a011

MD5 555a4234d7ee0e1b4a9611127c7c9c9a
SHA1 f1858ac2cb8a2ccbc7aed45729e3b958a49451cc
SHA256 fec1837993c67b56d4ac8e051c8c7205946b115910950b2f22db3430bf3537bf
SHA512 189f832efd4644628b5858c457561c7d2f7b09091d4e8757ea19337ce14956231e954663f9c616f5847770a526d9d2e2a5d9fb7a3c278e90b295bc83a6eeb898

/data/data/com.lionmobi.flashlight/files/.YFlurrySenderIndex.info.AnalyticsData_8VVPHWY4K9WVZFPGHDH7_213

MD5 6d7b40376897f5830acdfebe1cc3fc82
SHA1 bedac92a5b432f5c039317cf4bdd62e3255c9e83
SHA256 f17ed6f5a73e1692dd5cb9f5ceadf6cfea13c994b488f70147ae99a89443bf7c
SHA512 7d65259882c491f8cff27d54605e8b6d4d306f18cfb88232919b176bd6e5c30134cb23c8d29c80f0368fd138c0bf199c51322977de45e6ef25f351ba0c2bca67

/data/data/com.lionmobi.flashlight/files/.YFlurrySenderIndex.info.AnalyticsMain

MD5 b8b68682cf15d7bb9139978175263528
SHA1 e70a6bdeff262567ac1848674a83ad93935d9d85
SHA256 4c7707150a618286f1900916bedfabed278cd2eed660dd0af926a6c197708f31
SHA512 cd5cca0bff4ce10c1b4d01b26ed8fa8eb24423caa70343fb4841bb87ceacd264b7057ff2288cbcf473a2d83ce379c7fb5c5c2e6acbe7d038de34e2d7fb484388

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 07:32

Reported

2024-06-13 07:36

Platform

android-x64-20240611.1-en

Max time network

162s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.179.238:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.187.232:443 ssl.google-analytics.com tcp
GB 172.217.169.10:443 tcp
GB 172.217.169.14:443 tcp
GB 142.250.187.196:443 tcp
GB 142.250.187.196:443 tcp
GB 172.217.169.78:443 tcp
GB 142.250.179.226:443 tcp
GB 172.217.169.74:443 tcp
GB 172.217.169.74:443 tcp

Files

N/A