Malware Analysis Report

2024-07-28 14:39

Sample ID 240613-jha18atdmn
Target a47741d64dec571d8cc58d741ad3276b_JaffaCakes118
SHA256 2463b6d9b961fa7ea4af411bc85ee9381fc92d71018bc40c450c83d535d02d07
Tags
banker discovery evasion execution impact persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

2463b6d9b961fa7ea4af411bc85ee9381fc92d71018bc40c450c83d535d02d07

Threat Level: Shows suspicious behavior

The file a47741d64dec571d8cc58d741ad3276b_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

banker discovery evasion execution impact persistence

Queries information about running processes on the device

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Reads information about phone network operator.

Queries information about active data network

Requests dangerous framework permissions

Listens for changes in the sensor environment (might be used to detect emulation)

Registers a broadcast receiver at runtime (usually for listening for system events)

Schedules tasks to execute at a specified time

Uses Crypto APIs (Might try to encrypt user data)

Checks CPU information

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-13 07:39

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to request installing packages. android.permission.REQUEST_INSTALL_PACKAGES N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 07:39

Reported

2024-06-13 07:43

Platform

android-x86-arm-20240611.1-en

Max time kernel

174s

Max time network

179s

Command Line

com.crazycoinfarm.mi

Signatures

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Reads information about phone network operator.

discovery

Listens for changes in the sensor environment (might be used to detect emulation)

evasion
Description Indicator Process Target
Framework API call android.hardware.SensorManager.registerListener N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Processes

com.crazycoinfarm.mi

cat /sys/class/net/wlan0/address

com.crazycoinfarm.mi:mobguardservice

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 f.gm.mob.com udp
CN 180.188.25.47:80 f.gm.mob.com tcp
CN 180.188.25.47:80 f.gm.mob.com tcp
GB 216.58.212.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.179.238:443 android.apis.google.com tcp
US 1.1.1.1:53 f.gm.mob.com udp
US 1.1.1.1:53 f.gm.mob.com udp
CN 180.188.25.47:80 f.gm.mob.com tcp
CN 180.188.25.47:80 f.gm.mob.com tcp
US 1.1.1.1:53 api.exc.mob.com udp
CN 180.188.25.46:80 api.exc.mob.com tcp
US 1.1.1.1:53 f.gm.mob.com udp
US 1.1.1.1:53 f.gm.mob.com udp
CN 180.188.25.47:80 f.gm.mob.com tcp
CN 180.188.25.47:80 f.gm.mob.com tcp
CN 180.188.25.47:80 f.gm.mob.com tcp
US 1.1.1.1:53 api.exc.mob.com udp
CN 180.188.25.46:80 api.exc.mob.com tcp
CN 180.188.25.46:80 api.exc.mob.com tcp
US 1.1.1.1:53 f.gm.mob.com udp
CN 180.188.25.47:80 f.gm.mob.com tcp
CN 180.188.25.47:80 f.gm.mob.com tcp
US 1.1.1.1:53 api.exc.mob.com udp
CN 180.188.25.46:80 api.exc.mob.com tcp
CN 180.188.25.46:80 api.exc.mob.com tcp
US 1.1.1.1:53 f.gm.mob.com udp
CN 180.188.25.47:80 f.gm.mob.com tcp
CN 180.188.25.47:80 f.gm.mob.com tcp
US 1.1.1.1:53 api.exc.mob.com udp
CN 180.188.25.46:80 api.exc.mob.com tcp
US 1.1.1.1:53 f.gm.mob.com udp
CN 180.188.25.47:80 f.gm.mob.com tcp
US 1.1.1.1:53 api.exc.mob.com udp
CN 180.188.25.46:80 api.exc.mob.com tcp
CN 180.188.25.47:80 f.gm.mob.com tcp
US 1.1.1.1:53 api.exc.mob.com udp
CN 180.188.25.46:80 api.exc.mob.com tcp
US 1.1.1.1:53 f.gm.mob.com udp
CN 180.188.25.47:80 f.gm.mob.com tcp
US 1.1.1.1:53 api.exc.mob.com udp
CN 180.188.25.46:80 api.exc.mob.com tcp
US 1.1.1.1:53 f.gm.mob.com udp
CN 180.188.25.47:80 f.gm.mob.com tcp
US 1.1.1.1:53 f.gm.mob.com udp
CN 180.188.25.47:80 f.gm.mob.com tcp

Files

/data/data/com.crazycoinfarm.mi/files/Mob/PUSH_SDK_RECEIVED_MSG_1

MD5 7bb10e48bbca68c0dd378228217fbcfe
SHA1 573d263a07216645aad0c2b0b0d595f77f324149
SHA256 a6dc3063a1aef5e18b052cf6fd7a797494a1810575b705fde8518da99b68daf5
SHA512 b0c7b03b5dcd40d2ff4bf83cccc52ea6c2f09f0f8ab75a1faceed2c54f13ae31748769bd06b4c983087e7bbbd03aaecded33459c112156602056de55e7b2b081

/storage/emulated/0/Mob/comm/.di

MD5 70a42cba408700f9a6c01c7941a8829e
SHA1 eab01cc2c0671538795fb0b1146017dc099d0984
SHA256 499576707ce2623293166979e59c832be5b8636c64ad39aa63ebcf961910c35f
SHA512 8900d4dc8eed0430babbacb72942401bd22ef7fe5430cad90d3ce0c2c53010220d666aa0e2eb1026f3ec81d574c7fa12585b49222a5f15b01637f6ba134fe70c

/storage/emulated/0/Android/data/.mn_410185822

MD5 45d39a2a270d76f791fea479e0a25c8e
SHA1 d58885adb93af62f692fb331763453e29301efe9
SHA256 bbaa026e9b96f0fd509a64f730a565f929afe8daf2063f5160c7ee3312034cad
SHA512 55ccb772ea4a24256e24c599098d3592bddf74d5568413a43862dd047dcb9a3176ca01465e373d651e57575623eec5abdf29d065d7f42f90acdce8f60cc72d28

/data/data/com.crazycoinfarm.mi/app_crashrecord/1004

MD5 83d9ee118b94996f69643ab8a17325bf
SHA1 dfdb80297d0745c862389b7c96950fc0dfee50a9
SHA256 9cccfc4aead5b050f3fe3a6bcb4d63c69079dbe330e4f4b46b7a0142e0cd0923
SHA512 a2abf77ef3e193642e570344adda0f570c52fade6d4ca5fc0871b82e492699bc54f86e6feaf8a1a1e3a892d42c1d61aa878b3f6af4e099fecc95850def92dd6c

/data/data/com.crazycoinfarm.mi/app_crashrecord/1004

MD5 2ab8c9c6dc712f823a0d8ae57713f9a0
SHA1 5813f98b78bedf08fd16ec3c904c780ab8adbb80
SHA256 1c8627de47c24fd92178c68b2330e2a31a06f08918c78b0efae5c1b3ec886903
SHA512 24c69a6e928183e8ac3a108a9cd9756971c1dccd70aac7e4bea77906c1b4039ad4ea1e6527a4b4efe8594651c86c68123a8de828b32d5875dd4d594b7e7d03f9

/data/data/com.crazycoinfarm.mi/databases/bugly_db_-journal

MD5 c2fd276a2b30a0c04a7956bc697c379e
SHA1 fa7a9f6683ec977980a9f9a71c394b1362a98d81
SHA256 980084dee6e8ccd4de14bfa346a2a8c9b7217e681efe50d529a166ce2be015fa
SHA512 434dd9a0c1339d317fb4757eea724d0274ba9a733d2e27b5cbda8e83241ed82a1790378c4a8dfc73a71b14c4c4587837feca8becdfcb5adab4d4a77b7ed990b5

/data/data/com.crazycoinfarm.mi/databases/bugly_db_

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.crazycoinfarm.mi/databases/bugly_db_-shm

MD5 1c53ee5baac18994368486acbff070c0
SHA1 ca1cb0752cde4fc0644c16096aab301294478b8e
SHA256 97ce34d89b1b86cb1841571f2d024d79af1cdd1d966e22ac85dd2ac98d96b545
SHA512 0c33e286b6e1bd85087d239ed90e536045d8624d8574a48b55706930657075207592f419e7af09a60ce0c1ce65cee8d01b22adcbe6b653e783f1ad0f256dea58

/data/data/com.crazycoinfarm.mi/databases/bugly_db_-wal

MD5 0b89f0f1b339ef7dee93a3ebd0034aa3
SHA1 63e2a6e37f6f3a60e86238d0c3edcefcb979f07b
SHA256 e0711416f3df96bfd81cfd66bf0a40837a48fa8a9de9ecbc4fa306647d560f93
SHA512 b9acb7c83cb60e4feba1d0a30dacf81313200e4ac3aa5746be73615b9d00b9cb1c929416b3c3f0d8b945f7c62f20e9da8b1b2ff73ce053d64931806f19fed02e

/storage/emulated/0/Mob/.mcw

MD5 761a11a8adb3bd33f7d6f6f7f6911fb5
SHA1 5e7bcdc71c62c856bf059c4b0950b7aa4c4d55ec
SHA256 2de6c7c17116a9928fe92c3b6f32232acce574c0e5f4f00a0879af3da975a7d9
SHA512 3917cd6459dd537a945f76c1e927b94c68c4860bf79974389d35be7df272b86fa5795da5adad69c8c07d5a6557b6e50a795035bbe31e9ff8c094b148039fb084

/storage/emulated/0/Android/data/.mn_410185822

MD5 4451a1c9e417425072a84432c8c81b33
SHA1 7c36e856a8950e5ddb012550063e4a1f6061349c
SHA256 5dbb908a35490753c0dfb235732eb17ec3e3802971d4f2007ebf641d0d4feb64
SHA512 e408a57c56b9181f86900c3500190eeea43b30fc5ef1fe810e38da7cccfa5accedd1702ac74fc0e7e528181638aa4f5b221ab61cd1275a95e74461932ab402cf

/data/data/com.crazycoinfarm.mi/files/Mob/mob_commons_1

MD5 f7d2e87e0ffb9b85e3797d360ba9f3cb
SHA1 35a64b91673f86c69f48c981b2a37de8d39bff56
SHA256 a214c7e49c56096fe9dd4fedd2c649bc3836c6a70d57d895097476a3a610c1cd
SHA512 c63484dd15e97367260717a802cf0a4151a3cee67fc0fe27d8e1a88d6851aa5e7d296d8101b0ae1ad0af9560a40fa0ebaa495c8af160a7609f1e5bf8c57680f4