Malware Analysis Report

2024-09-09 17:11

Sample ID 240613-k474hssdja
Target a4c99efe99a7db4e7659b53300b8cb45_JaffaCakes118
SHA256 8b4cc2e507907a5c718dc13bdaafa73ae02979bd50371503d8654a36cb9f9b1f
Tags
banker discovery
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

8b4cc2e507907a5c718dc13bdaafa73ae02979bd50371503d8654a36cb9f9b1f

Threat Level: Shows suspicious behavior

The file a4c99efe99a7db4e7659b53300b8cb45_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

banker discovery

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Queries the unique device ID (IMEI, MEID, IMSI)

Reads information about phone network operator.

Acquires the wake lock

Queries information about active data network

Queries information about the current Wi-Fi connection

Requests dangerous framework permissions

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-13 09:10

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-06-13 09:10

Reported

2024-06-13 09:10

Platform

android-x86-arm-20240611.1-en

Max time network

6s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-06-13 09:10

Reported

2024-06-13 09:10

Platform

android-x64-20240611.1-en

Max time network

7s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-06-13 09:10

Reported

2024-06-13 09:10

Platform

android-x64-arm64-20240611.1-en

Max time network

8s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
GB 142.250.187.206:443 tcp
GB 142.250.187.206:443 tcp
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 09:10

Reported

2024-06-13 09:13

Platform

android-x86-arm-20240611.1-en

Max time kernel

17s

Max time network

140s

Command Line

com.dws.armyantz.vqs

Signatures

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Processes

com.dws.armyantz.vqs

Network

Country Destination Domain Proto
GB 172.217.169.74:443 tcp
N/A 224.0.0.251:5353 udp
CN 120.24.152.239:80 tcp
GB 142.250.187.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
US 1.1.1.1:53 t.appsflyer.com udp
GB 216.137.44.35:443 t.appsflyer.com tcp
US 1.1.1.1:53 api.appsflyer.com udp
GB 18.165.227.10:443 api.appsflyer.com tcp

Files

/data/data/com.dws.armyantz.vqs/files/AF_INSTALLATION

MD5 0b594c4a1438bac2cc873b72bb4e9196
SHA1 613469c30f2730c970857ac1f63336f2e4ff16ce
SHA256 1515401e82cadfc991924303717673e7b12ae2d2cf44a7cfb2457103d0e49af5
SHA512 82f50b74a329f4c43eef97d6b03cba3358972771899b9456aee188fb1d91e0f82f1740b4ca90fda49fe08edb8661e07bb771f470dcbf84948c55a3be649751e5

Analysis: behavioral4

Detonation Overview

Submitted

2024-06-13 09:10

Reported

2024-06-13 09:10

Platform

android-x86-arm-20240611.1-en

Max time network

5s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-06-13 09:10

Reported

2024-06-13 09:10

Platform

android-x64-20240611.1-en

Max time network

7s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-06-13 09:10

Reported

2024-06-13 09:10

Platform

android-x64-arm64-20240611.1-en

Max time network

8s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 09:10

Reported

2024-06-13 09:14

Platform

android-x64-20240611.1-en

Max time kernel

19s

Max time network

151s

Command Line

com.dws.armyantz.vqs

Signatures

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Reads information about phone network operator.

discovery

Processes

com.dws.armyantz.vqs

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.204.72:443 ssl.google-analytics.com tcp
GB 142.250.178.10:443 tcp
GB 142.250.178.14:443 tcp
GB 216.58.201.98:443 tcp
CN 120.24.152.239:80 tcp
US 1.1.1.1:53 t.appsflyer.com udp
GB 216.137.44.35:443 t.appsflyer.com tcp
US 1.1.1.1:53 api.appsflyer.com udp
GB 18.165.227.6:443 api.appsflyer.com tcp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp
GB 216.58.213.14:443 tcp

Files

/data/data/com.dws.armyantz.vqs/files/AF_INSTALLATION

MD5 d90c10a0adb420592d05e73b2670f0eb
SHA1 0a3de7321a62b90f9fa11240cd41ab86e1b3ab12
SHA256 5112bff7bf7df67ff6d52fab7b41c83c9286efed0325ccf6c8bd6777cb233886
SHA512 3e659f6b4339c4e8348e0b4fda8d2bcf84e64d0c462e09073def2956c7e1eb6c3b90f1c96ac0eb4355d96b14b49a3c98820817593f35447b4969d412edbbd720

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-13 09:10

Reported

2024-06-13 09:13

Platform

android-x86-arm-20240611.1-en

Max time network

138s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 216.58.212.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp

Files

N/A