Malware Analysis Report

2024-07-28 14:40

Sample ID 240613-jtkd2azfjd
Target a485a78f4a94835683378609d6cb2298_JaffaCakes118
SHA256 0ba8251ee5e8efec6c78aa03653b3a681785192fa0725e327559b90b9b78f8b4
Tags
banker discovery impact persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

0ba8251ee5e8efec6c78aa03653b3a681785192fa0725e327559b90b9b78f8b4

Threat Level: Shows suspicious behavior

The file a485a78f4a94835683378609d6cb2298_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

banker discovery impact persistence

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Acquires the wake lock

Queries information about active data network

Queries information about the current Wi-Fi connection

Requests dangerous framework permissions

Registers a broadcast receiver at runtime (usually for listening for system events)

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-13 07:57

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 07:57

Reported

2024-06-13 08:00

Platform

android-x86-arm-20240611.1-en

Max time kernel

14s

Max time network

131s

Command Line

org153.geometerplus.zlibrary.ui.android

Signatures

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

org153.geometerplus.zlibrary.ui.android

org153.geometerplus.zlibrary.ui.android:library

org153.geometerplus.zlibrary.ui.android:crash

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 aos.wall.youmi.net udp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp

Files

/data/data/org153.geometerplus.zlibrary.ui.android/databases/config.db-journal

MD5 71aaa2633401d5f0a2a17d77c33d7e4c
SHA1 2eacf95905d3aeb8897763182e08ef095c727f6b
SHA256 316960987509b222c37666ccf29392a5a8662d45ddf79e1803c0dcc8b351c0c9
SHA512 d4f401f02b6986fd38db0c730fa38efc484f982824751c945b0e638891a096d163d54c113fec5c73d6afe808ffe077466fce546cf905e7d07972b223e31d5aa3

/data/data/org153.geometerplus.zlibrary.ui.android/databases/config.db

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/org153.geometerplus.zlibrary.ui.android/databases/config.db-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/org153.geometerplus.zlibrary.ui.android/databases/config.db-wal

MD5 b7e16998d78cbd9e603e8ff3d15bf068
SHA1 2dd7db69aed48f6ece0138ea498b85fecf2d09fa
SHA256 a90e51dd18d6fa5131b657adbf4ee3ce0f958cc2cbf49785d0619b970b25447e
SHA512 d531148bd2628ba61628dd134d50e23ebe3c44dee24a8dfcbb921d46f7cb2c435c6bd31b01ba6181cd6ae3a3b37063b02fdafd8d4d778d9a4bc7ee97f4dbd592

/storage/emulated/0/LaBooks/mishuzhanga.epub

MD5 68623762f54e3244b2b418b5f1729ae8
SHA1 24d985f37106412d567b1ead39ebca592cb21f53
SHA256 77338496f9fcd7628e6f95558d5d31088c5964ee8e2392afb1cce046ebdd1389
SHA512 47b218976aaa8757301cf5439ce5e7466f53fba3d13866f61fa78d2f5a94fb6e46370dd8e95f65617f8993c4b1aacbc0ddd66eb415650095a6b0a4209247b47f

/data/data/org153.geometerplus.zlibrary.ui.android/databases/books.db-journal

MD5 f11cfdcfca02c4396cfe37224dcad93d
SHA1 5e9fcf919a39aa1a0df60e49d5545c10e9d09ef2
SHA256 33972d2f3f173bfe6a7a820040ff4900dddeb7b2198976bfd481354e57619ed1
SHA512 ddcd7140554304a0b2d6ae03c006073201abce4160523eb0fcd34aeb1bfcdd74bba0561e361331c39e6a4f2ea3cd63b9c8d640d97c9495c6cfefcae81508dd0b

/data/data/org153.geometerplus.zlibrary.ui.android/databases/books.db-wal

MD5 b69380a8aeb990621d58c8cdb2b27bc9
SHA1 751bee4761c8cfaa2e3fa8fdb5d51774d97ef138
SHA256 12a73d1db148f2d5fcdb36e650c54912035eb2998ce3a54f23b6bb3262686b0f
SHA512 bf700d8527d5783e686aa8546d932e2d66cb9005a3cf636090373d2f436b230fd5b212df6d394ffa9adfd7a55cb20bf7309d3a400e6fd736b10a9687202b7dc9

/data/data/org153.geometerplus.zlibrary.ui.android/files/abf3531c1a6d5f50849b3b4d000098bf-journal

MD5 86741103e1b4d4f2348c5d676534327b
SHA1 8ae2ce915782ce42bb426fd57e1761d8dfb0f5fc
SHA256 a039cfe0d8691daa168c7fbd318ae26261bca29cc6033140f2a6a83206b985f7
SHA512 be2c55deded4ef2d26e66b6709d8aa9ba580fefe11752b3d85863e94140d3be9fa38e4204a394ea631fd226f378f682cc30f72c4ed7efb38bd2ca616f2bc20b9

/data/data/org153.geometerplus.zlibrary.ui.android/files/abf3531c1a6d5f50849b3b4d000098bf

MD5 77ed0b4e11ab1de85e99a654750e17f5
SHA1 3b926a62333fc90771e1069a5624f2c552e27e54
SHA256 0e2922ca6593a8f733373472435a2754fc1cf6368e1f91b392e8968fdedd61c8
SHA512 1ba48541f11ffb15c5c564a56d9a0f988b66c04ce2ee9404dbc6fcc607456f6dcb4be4c5aa64f3055465b366bf302d1009cdf8d07af4f5ac3fd85cf2ff2ffecb

/data/data/org153.geometerplus.zlibrary.ui.android/files/abf3531c1a6d5f50849b3b4d000098bf-wal

MD5 9c5c7afeb036f91889f590d040db6b01
SHA1 6152dd026a9db22d63bde01745f0fbe1531e5947
SHA256 b5f40dcff70d632389743cc46fcad0a2630c6a2ca87fdc8e6e3d0507ba67c7b1
SHA512 c19504ab5307082eb5daffb603f52c0a6ccdf53e57181616ec7ba90b104217433317d05829e387a65ab0348b2ddaca89df4d6387720d5c283bd821e8703ba07b

/storage/emulated/0/youmicache/CCA9582BC81E888EA674F157E5540CF8/abf3531c1a6d5f50849b3b4d000098bf-journal

MD5 a96d8878ec6caade3dde6516895c559e
SHA1 5bca3724d7b140221c1d46644152b39daa18ca7c
SHA256 bf04c0d4271beef05ead6d59e3cc4099264bf776926564aeb063eaf1db0caa75
SHA512 87729af33882ab3eb1817fe37ffd1614ad068b07f86c1c2b0ca0d8eb7131aacdae348c171e59930a4dd1077b4152facd4a299890e7227a30d65be4389b5d6f6f

/storage/emulated/0/youmicache/CCA9582BC81E888EA674F157E5540CF8/abf3531c1a6d5f50849b3b4d000098bf-wal

MD5 564b9afe4c39b9467887f48612a9d60b
SHA1 453d9fdbf7960c6bb67ed079744a23eef51d712f
SHA256 c6d1123aef936ee84f28fd5f5411975719abb194373d3615c9396f93bc013115
SHA512 f36e6d0d512cd04f4eafff925914de156523c681190cac384c4914eaf00245a6b4e216de0b0bb8f30d0ce693bd75253ee6b4ba4a941bfe74f3cbb60015ac7f03

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 07:57

Reported

2024-06-13 07:57

Platform

android-33-x64-arm64-20240611.1-en

Max time network

8s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
GB 172.217.169.68:443 udp
BE 142.250.110.188:5228 tcp
GB 172.217.16.228:443 tcp
N/A 224.0.0.251:5353 udp
GB 172.217.169.68:443 udp
GB 216.58.212.234:443 udp

Files

N/A