Malware Analysis Report

2024-09-09 17:11

Sample ID 240613-mdeqdsvbnd
Target a50de3093d97769c41115dbea0241aef_JaffaCakes118
SHA256 9894cd0caa7018914265133f22df23a423396671600838931e53001fdf11fafb
Tags
banker discovery persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

9894cd0caa7018914265133f22df23a423396671600838931e53001fdf11fafb

Threat Level: Shows suspicious behavior

The file a50de3093d97769c41115dbea0241aef_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

banker discovery persistence

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Acquires the wake lock

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Queries information about active data network

Queries information about the current Wi-Fi connection

Requests dangerous framework permissions

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks CPU information

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-13 10:20

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 10:20

Reported

2024-06-13 10:23

Platform

android-x86-arm-20240611.1-en

Max time kernel

176s

Max time network

184s

Command Line

com.jb.musiccd.android

Signatures

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Description Indicator Process Target
N/A alog.umeng.com N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Processes

com.jb.musiccd.android

com.jb.musiccd.android:pushservice

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
CN 14.146.228.19:80 tcp
CN 14.146.228.19:80 tcp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.141:80 alog.umeng.com tcp
US 1.1.1.1:53 sdk.open.talk.igexin.com udp
CN 183.134.98.112:5224 sdk.open.talk.igexin.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
GB 142.250.187.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.212.238:443 android.apis.google.com tcp
CN 223.109.148.176:80 alog.umeng.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 183.134.98.112:5224 sdk.open.talk.igexin.com tcp
CN 223.109.148.179:80 alog.umeng.com tcp
CN 223.109.148.177:80 alog.umeng.com tcp
US 1.1.1.1:53 alog.umeng.co udp
CN 14.146.228.19:80 tcp
CN 183.134.98.112:5224 sdk.open.talk.igexin.com tcp
CN 183.134.98.112:5224 sdk.open.talk.igexin.com tcp
CN 183.134.98.112:5224 sdk.open.talk.igexin.com tcp

Files

/data/data/com.jb.musiccd.android/databases/gxsdkdb.db-journal

MD5 5f8dee490660831cdee2e44909b90b7f
SHA1 59e52c6618a7dd2073a853364069229417ccd9f8
SHA256 a374215f5604f8ebe07196e6933deeb618c23161aff7fc15c2d6f6c8e9e36088
SHA512 9760bd90f09cabff8f04135c875a15bb13aedf62fafdd63afa71d81775f6ef56e1256278481f95372451d36bc55e1d2ba7de2e2b9aaa7ecbcbadfd47e7a4fc34

/data/data/com.jb.musiccd.android/databases/gxsdkdb.db

MD5 2b6ed71bbac8c1f7eb104d85bd7d05ce
SHA1 ba20ef849e8bfece06e8e51aecb8a49e2e767eeb
SHA256 c80532bbaf984fc3051c3c1c51131ea7bc40a2d471181cfcc7949ec03b1a9f1b
SHA512 1318755faf81c62bcfe3a42c0ca75f2281d770561c50e891b13af88e6466bbb3685a2b1c259c226cce826828bb5c49d2044c72f7226b8af326828f79ad974af0

/data/data/com.jb.musiccd.android/databases/gxsdkdb.db-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.jb.musiccd.android/databases/gxsdkdb.db-wal

MD5 b0e0bab35a823b1c4d7b6dccae3e1c78
SHA1 f8cd1e239b5815987ca1f0a7b6097f122ff8fd5b
SHA256 86156f9e1de19103efd2dbabf1d4f3bc5c0e4cecbde3d7e439732bfb070c0d59
SHA512 a59efe320e62d825aa38281730dc183da194d088a0eb497a799a7435b113c9c0c38bbb841d264d28093fd5d7493bc5604f0ff91f06dd4c318723b8fddd74f48d

/data/data/com.jb.musiccd.android/databases/gxsdkdb.db-wal

MD5 ec9fa0b41ee85efd1416dde5ff0679a9
SHA1 63450a410cb69f0dfe04f6e27c0cb4ce134c33d1
SHA256 c9b3b71c9c03107f3751ef246af7821b0f116f7eac8647f84b80165b6db04a0e
SHA512 176e9b0da439472531c802a22d5ee0566987e608734ad8d2c4d7126780e3fac4c018725d4e6acaba1551e0211958d34c8840ba14a38073c05f78024bb9ed2f6a

/data/data/com.jb.musiccd.android/databases/gxdbapp.db-journal

MD5 f63eb1c8d582a736d3c1aa2b110d7f50
SHA1 434ffc91c4eb6691e55374ed8be701fe72083c19
SHA256 165d3917705cf79a3dd70fafae9f886e52cc37c3bceedcc91d444f1dff55a2f0
SHA512 a6a42202bde44681527c7b3de1c3014c11555f9f942f7fd68e20c0d08bec7df0f38d2a5a390e2569e58bfe86f4a52434ea9e48ca86f444d34db09fd345a82031

/data/data/com.jb.musiccd.android/databases/gxdbapp.db

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.jb.musiccd.android/databases/gxdbapp.db-wal

MD5 353e2be59cf92bf84594dc7db1a2170f
SHA1 0e59e5c3a777e868233e7019d63efc411730b852
SHA256 1c38e04731f4ea29094d227ece7654884574c974f6d802a6efc6926bbf82157b
SHA512 d06d5927163765783096541fa1ab53552c4d973870328b021c9a5332fdab6927412d6ec54205a78911f88ba69d433edcbdedd200147c3e4cf20e687c216c6ca3

/data/data/com.jb.musiccd.android/databases/gxsdkdb.db

MD5 5f4cd862fa43e47b554c473dff647124
SHA1 a994d21bb852c3c64e5f102f4ebb67b0df6e14df
SHA256 fee386cdc1d18e3240e031610a43da10a710252c49f9ee961aa892641df66a57
SHA512 aba50123c5a382dfc2876543e4a86abed3ca56adef8bbfcbce4da868b7c778f238628985364677b06c92b67ecc645d25940015f2b335fba38decacbe98b8c243

/data/data/com.jb.musiccd.android/databases/gxsdkdb.db-wal

MD5 f3f3de8b5e63fd234acc0c2c04ec2d4d
SHA1 712abce940fe261d7e2d34ffd6bebcd521e93665
SHA256 17ee63610e566bc1e83c5778fef153a12683e5d323a248d70a9872b4ab0d5c02
SHA512 d3bd8d3adf59c0e583faaa1b10a18aac5b067e368f2d4ad4bd24df32aed22223cbb6fc0b9b411e0764e98f15b5eefc06e4ba0b374d5d99dd543a4fdd737a977b

/data/data/com.jb.musiccd.android/databases/download.db-journal

MD5 01f5201fe392aefdd19dc92c1a0507bb
SHA1 a704e9d7f24a825315d4d20e0e9da315de07e302
SHA256 626ff8d3e84a991701207c39b1350c84a0fc40a75a4ae52e055edbeeafd1e24b
SHA512 701e3b4f1bd1fd736edf6a01c96ed040b260047bf0b03414b198aae8057f1d0d60a5429086dd088bcec7c48ae9624c7124a65be3ee18535f41d6015ed968bf60

/data/data/com.jb.musiccd.android/databases/gxsdkdb.db

MD5 2d9eb2aa0b38ed317e62bcd25314861b
SHA1 b25086ad7da1de1de24640d72e9f1614017687db
SHA256 305e952653535c2626e951d14d9212e4fcf4eafafe1b937c8d6c36bc1c7b8829
SHA512 9f54c7279ae23a05c3a0e4bed74bf2bd0292932b20e39a905d56f3bac8a8de805ecd7ce6faebef10de96e083b39077219b32f82b6e5637a6a7d2b89edc4e9b13

/data/data/com.jb.musiccd.android/databases/download.db-wal

MD5 296c395407022e5ea4ed735809f1bea7
SHA1 226c93b6b77aef422589fa0b6efb624fdfac93dc
SHA256 94b794d50649fe3beb528616dcb567fef8bfecfe6a926e0ae2295c9921f7343c
SHA512 e628719a568e92847a39baf090cbf4d6266d120b5dc415d3ee852241d82a67d873b23cb04db3e2b6e2d77656d300bb25cab553ae378c4c9f89d0f29d355229c8