Malware Analysis Report

2024-09-09 17:54

Sample ID 240613-lnrx2axcpl
Target a4e5a86adc222f7b94cd4c651d5e8710_JaffaCakes118
SHA256 e408dcf2ef3f8b9f2c2b4dea7fcf8c59f491011ab4082262cbbd13f62acbceaf
Tags
discovery impact
score
6/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
6/10

SHA256

e408dcf2ef3f8b9f2c2b4dea7fcf8c59f491011ab4082262cbbd13f62acbceaf

Threat Level: Shows suspicious behavior

The file a4e5a86adc222f7b94cd4c651d5e8710_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery impact

Queries the unique device ID (IMEI, MEID, IMSI)

Requests dangerous framework permissions

Queries information about active data network

Queries information about the current Wi-Fi connection

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-13 09:41

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 09:41

Reported

2024-06-13 09:44

Platform

android-x86-arm-20240611.1-en

Max time kernel

7s

Max time network

131s

Command Line

org.silentchen.www.agilebuddy

Signatures

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

org.silentchen.www.agilebuddy

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 img.ninebox.cn udp
US 1.1.1.1:53 s.ninebox.cn udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
GB 172.217.169.10:443 semanticlocation-pa.googleapis.com tcp

Files

/storage/emulated/0/Android/data/code/MID.DAT

MD5 c679783f144b5b77cbcc89952b9590de
SHA1 339c29f74856fbb0a27070d1d90c1acde4d49142
SHA256 03e9e03b09bb456d2e730f787e5b232d119d59547959fd73617cbf44dcf56de3
SHA512 5ac8cdf1e7950029ccd418c6df2991e9763083cc631f549ab2302758b0cd634817c1f712db7310927ba39aa9612e7be746532142434d314fb7231e2f97d4aa2f

/storage/emulated/0/Download/9j/1.dat

MD5 927480efb7cbb7e260eb70a77c9dd19c
SHA1 a99b69e337352448652f3b47cf4b603806ca97b9
SHA256 f6d40c4149c098ca475bd6fb9d5c84460a0899af5c1cac2b93b9ee4c00931dd0
SHA512 70edddd7ec081baa286a8713cf5402d7f820eea6650fcaf22ec5f45dc3fd2c73d06001731ee71a0819520f5fbd84d6b3a973fe32e9f79c221cb282dab3903c19

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 09:41

Reported

2024-06-13 09:44

Platform

android-x64-20240611.1-en

Max time kernel

7s

Max time network

150s

Command Line

org.silentchen.www.agilebuddy

Signatures

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Processes

org.silentchen.www.agilebuddy

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 img.ninebox.cn udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.179.232:443 ssl.google-analytics.com tcp
GB 142.250.179.234:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp
GB 142.250.200.46:443 tcp
GB 142.250.179.226:443 tcp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 tcp
GB 142.250.200.46:443 tcp

Files

/storage/emulated/0/Download/9j/1.dat

MD5 780acff759a26a5665e1325f1877f875
SHA1 f72ad8a92cd08f34d1776781afb73184d3c6a40f
SHA256 b4bf6760e0524c72997d32a1fa16b92d280161ece3e2b816a7328cab0c30e1d4
SHA512 8a939748f562b6f8418bcac25d75f979cf544b1f72714e1f21f131ac11f81c6a26442ff48b7548492347c4eff672442a768f058deb46cdfeb4da348fde4d2b90

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-13 09:41

Reported

2024-06-13 09:44

Platform

android-x64-arm64-20240611.1-en

Max time kernel

7s

Max time network

167s

Command Line

org.silentchen.www.agilebuddy

Signatures

N/A

Processes

org.silentchen.www.agilebuddy

Network

Country Destination Domain Proto
GB 142.250.187.206:443 tcp
GB 142.250.187.206:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 img.ninebox.cn udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.200.40:443 ssl.google-analytics.com tcp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 tcp
GB 216.58.201.110:443 tcp
GB 142.250.179.226:443 tcp

Files

/storage/emulated/0/download/9j/1.dat

MD5 cbfaba32687f8e7906777d1bf0b63cc5
SHA1 270d56db95e65b7d433171ce919ee4eaa63cb556
SHA256 0e115551d048a5bbdc08948637064faeab349f4babb4521a5676989c7dc5d0a2
SHA512 b519d6c2b18cd4d094bfeff487daf47fa3f88e3f40658771d13b6892485ed123219636e3dadc88afc802b9531662a9de3648d6e4eb8e01c82192662f2653c548