Malware Analysis Report

2024-09-09 17:48

Sample ID 240613-mnwfwsyhjk
Target a51ca0ca57e85fa90c96cd4d6c81a07b_JaffaCakes118
SHA256 1a0f9e6e078ce14123b8b23f5540e74d82115b93efccd153bc5d521f27b1414d
Tags
discovery evasion impact persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

1a0f9e6e078ce14123b8b23f5540e74d82115b93efccd153bc5d521f27b1414d

Threat Level: Likely malicious

The file a51ca0ca57e85fa90c96cd4d6c81a07b_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

discovery evasion impact persistence

Checks if the Android device is rooted.

Loads dropped Dex/Jar

Requests dangerous framework permissions

Queries information about active data network

Queries information about the current Wi-Fi connection

Registers a broadcast receiver at runtime (usually for listening for system events)

Uses Crypto APIs (Might try to encrypt user data)

Checks memory information

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-13 10:37

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to request installing packages. android.permission.REQUEST_INSTALL_PACKAGES N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 10:37

Reported

2024-06-13 10:40

Platform

android-x86-arm-20240611.1-en

Max time kernel

174s

Max time network

158s

Command Line

com.fsms.consumer

Signatures

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /system/app/Superuser.apk N/A N/A
N/A /sbin/su N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/data/com.fsms.consumer/mix.dex N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.fsms.consumer

/system/bin/sh -c getprop ro.board.platform

sh -c getprop ro.yunos.version

getprop ro.board.platform

getprop ro.yunos.version

/system/bin/sh -c type su

logcat -d -v threadtime

/system/bin/sh -c getprop ro.miui.ui.version.name

getprop ro.miui.ui.version.name

/system/bin/sh -c getprop ro.build.version.emui

getprop ro.build.version.emui

/system/bin/sh -c getprop ro.lenovo.series

getprop ro.lenovo.series

/system/bin/sh -c getprop ro.build.nubia.rom.name

getprop ro.build.nubia.rom.name

/system/bin/sh -c getprop ro.meizu.product.model

getprop ro.meizu.product.model

/system/bin/sh -c getprop ro.build.version.opporom

getprop ro.build.version.opporom

/system/bin/sh -c getprop ro.vivo.os.build.display.id

getprop ro.vivo.os.build.display.id

/system/bin/sh -c getprop ro.aa.romver

getprop ro.aa.romver

/system/bin/sh -c getprop ro.lewa.version

getprop ro.lewa.version

/system/bin/sh -c getprop ro.gn.gnromvernumber

getprop ro.gn.gnromvernumber

/system/bin/sh -c getprop ro.build.tyd.kbstyle_version

getprop ro.build.tyd.kbstyle_version

/system/bin/sh -c getprop ro.build.fingerprint

getprop ro.build.fingerprint

/system/bin/sh -c getprop ro.build.rom.id

getprop ro.build.rom.id

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 216.58.204.74:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 216.58.201.110:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp

Files

/data/data/com.fsms.consumer/databases/bugly_db_legu-journal

MD5 550f568f27956dc53c197dcfa44fc00c
SHA1 e7969c2f1b609dc4da4004ae3c6b39809d9ba588
SHA256 844b2d25740f8789916573604139306686e16d0970e51b12ef07eecc8b612713
SHA512 45a4dc78ca4e3c981c1afeaa8e516fad35b2d28171f87d58d81c202a306aa34dbb844a63c8c4e1db13363680738cc316bc3d4a53b3416be9f1c27cc78a5fadce

/data/data/com.fsms.consumer/databases/bugly_db_legu

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.fsms.consumer/databases/bugly_db_legu-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.fsms.consumer/databases/bugly_db_legu-wal

MD5 2aedb7c7f4f0bd3a54b16cafa5e6bd95
SHA1 59865f810386cb3eafb5aaf64f26dab1e5701cce
SHA256 a580e7ade76253d73341a9d919312d563c9f0e4ca8b15b805e139db5647638f7
SHA512 5727f8bdf9e12ef2bdd517b1cbca601905b5396a30a7f628dbdd3491132d54f99902e6206ce7253e2c9498bf96bf92dbce745c7ef6069467dfd2a7d996b5afad

/data/data/com.fsms.consumer/mix.dex

MD5 63f77f99bd2c2b772a479923bde11974
SHA1 c7632e7d301e4463fafce85f84e9c3d7da3fdbbe
SHA256 4c76a3af64cdd2f8713ffe2733dea50dbe714d0ca41c17d1847ee5b62a7ca615
SHA512 3aae4a89d1ed51fdd911cb367eb10afe3c2264e4222085891b18a60d5412f85d10bf5c8f3c6642db70abb9aa42732bac5c42c42ee32d587100f53c21b5beb16c

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 10:37

Reported

2024-06-13 10:40

Platform

android-x64-arm64-20240611.1-en

Max time kernel

179s

Max time network

132s

Command Line

com.fsms.consumer

Signatures

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /system/app/Superuser.apk N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/data/com.fsms.consumer/mix.dex N/A N/A
N/A /data/data/com.fsms.consumer/mix.dex N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.fsms.consumer

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 216.58.204.78:443 tcp
GB 216.58.204.78:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.187.232:443 ssl.google-analytics.com tcp
GB 142.250.178.4:443 tcp
GB 142.250.178.4:443 tcp

Files

/data/user/0/com.fsms.consumer/databases/bugly_db_legu-journal

MD5 85402d2198055f5e48e5a4e08159dac5
SHA1 c9b9527a77936a731f5e86b90ff8f0dac74f90bc
SHA256 fdf03c4fa5203e8ef5e30ed5ab2a0d5eb7d7f59356c0c1ab3b60f3f1fab4e397
SHA512 1132909b3040274dd2cd3680501f10dd66eb5c77dc1e6ff54b68ccbef348daf12b355570ad936cb9f9a50246702d0843c8184d58473b1fc8740ac294b42ff849

/data/user/0/com.fsms.consumer/databases/bugly_db_legu

MD5 a4c4232cad0c4109c4d2636c7ba5d0e7
SHA1 fc0320241bade6c6cb5e0d5dfc2421efb2ee66f3
SHA256 dae5fa52c3fe63d2cbf9ee0130e437f696f821fc4553492e56071669651b97ce
SHA512 2440b724a9fa4a024348831545423bcfd878e2121ef866ad0c69b3272fcee450f90cc8adc6bd13040b2f6d37a01c7c201573173f97b7f3248cd54d2aa6c2c4b0

/data/user/0/com.fsms.consumer/databases/bugly_db_legu-journal

MD5 14a6d6f7f61e09e26fc11f3ec8461dc4
SHA1 919412bcec6f715e2957407afc48f48bfcad25e3
SHA256 ee91ff00e2988554adf1a3e0d0eec1c7070accaf4f6ea62f7651edb301533ed7
SHA512 6235c7a4376e37e8aea54898afef7aa197c0d83d317cb023706d9c33a91b9b9bc1469be8a79d1bc151806e2c31525e8eb95f358630f5916a658ea8e9e42bc4e4

/data/user/0/com.fsms.consumer/databases/bugly_db_legu-journal

MD5 dd9a281234b6dd6659f99f43df8f52b9
SHA1 37aee27d70e9a1d7b575785e1b27330762a44c33
SHA256 b9ff069d1dbacfb9122762f1d696723a1ff829e3ce274ba14c42e82178a2e534
SHA512 c4608e834c129bf9fd578fb2e618ba362e8c0495d9b744d2d6343eca0ef30fdfefd6410aa37b9c44c3b1e09c2a535c754ce54a9b45dd68ad4f8545f2dfb16a06

/data/user/0/com.fsms.consumer/databases/bugly_db_legu-journal

MD5 d7675d09c4d74ef9dfdb35d3856f703e
SHA1 5506d3b6615f07748a0f7bb858844a5c1747ca5b
SHA256 3d99861b993ef0331df6d84d4bc5c3242fc8a10d33e90670e1759852429b69ea
SHA512 31286ef424552c62c8e34a46b96918efb65c155838421a041f2ae2bd20233305350913f213bb15c8202cfc6979614110eac944905b2290f2e43ecc4b9d308cc9

/data/user/0/com.fsms.consumer/databases/bugly_db_legu-journal

MD5 a849d3a1efc7f2a7f89e99a2b6790b75
SHA1 6870b2e8ff2d26222ccbcab67e5bf433422cb0c3
SHA256 c30c9b18e1a13cf84def5ed0916e308352b0248bb8ac82d726596668c2bd3240
SHA512 2ce05e243e8b76fc12a09843a54be72ab937a1b8265783310d1533316c82c382f9e4fa896b271381957c7d27c878a3fc4ccd3694d4b444b5eb48405029dc7507

/data/user/0/com.fsms.consumer/databases/bugly_db_legu-journal

MD5 0e79ad2ab4d0012fce511f26be6d7efb
SHA1 aa67768d093dc7cf6076b55404200699ffe36932
SHA256 ead3e2f4ab850330ff4103c2fb38c6af4d305ba5a69a3e458bd2a22cf4a482e4
SHA512 901dff00ed37f9505179c57e2d7db5170c4a2ca645d4380f37927eaba8a6b33410395ec3faa61d38e976705070df4ccdd8b5b1a263ad2a36d0ef13dd36f85d89

/data/data/com.fsms.consumer/mix.dex

MD5 63f77f99bd2c2b772a479923bde11974
SHA1 c7632e7d301e4463fafce85f84e9c3d7da3fdbbe
SHA256 4c76a3af64cdd2f8713ffe2733dea50dbe714d0ca41c17d1847ee5b62a7ca615
SHA512 3aae4a89d1ed51fdd911cb367eb10afe3c2264e4222085891b18a60d5412f85d10bf5c8f3c6642db70abb9aa42732bac5c42c42ee32d587100f53c21b5beb16c

/data/user/0/com.fsms.consumer/app_bugly/rqd_record.eup

MD5 5ec758aba3fc538354888e38ac5ed313
SHA1 d35b6573d25b6e282a680a4ffe9ccfceebec74a4
SHA256 12eb72ff09eef9137e67ce8f0588607a28976e0e082b80125f7ff572405a582e
SHA512 13e094ecf0cad0cec897853bd3fad125b5ab07db68652cad4affb1b03da9d50a19815b268361a45543205cd54774148691a3433abb075a48ef0c846dae73ccec

/data/user/0/com.fsms.consumer/app_bugly/tomb_1718275049520.txt

MD5 d61f3cc3a790ef2da2940be6c50062bb
SHA1 dca65a349bc24e5634ad16c82381dc14d6edd9b7
SHA256 fa6554bad796eb8a48180d655f5145306e20d85b637b64ab03cfcffa67563232
SHA512 2d21f7f088331ac0f434a8feedf35e79fe9618edfb084744a05231bddbf04dfc0d39c1235388ac23572f5abaf8e28d3899d735b95e804c78b863ffc1b94de3bf

/data/user/0/com.fsms.consumer/app_bugly/rqd_record.eup

MD5 5ba5018e1d2c68df2148103f59f33c25
SHA1 9c936cdc38dc6af8847a2bd4178b2e55a1f9e50d
SHA256 e77446c0467c4a2a2c2f8bfa7b9e0769b36a8e37369c3b391b92fc024ce39759
SHA512 a9b4084eac71feae90bd563788eae953eeb3e9d9e4530b3b7bf01def692dd47df3c72eae9a018529fca5223c30a3eb8904312592f045abdf6c3c9027458308e0

/data/user/0/com.fsms.consumer/app_bugly/reg_record.txt

MD5 bc13091f8fb274febdf6a9a02d54c4d0
SHA1 c43c01283ab795cd751edbbce79c641702aea4a5
SHA256 7b29118956add022f8a509ead69b50f9af6d675b0e35fbd50b6c704d6c7928ba
SHA512 2dcd4b651290236e275b2fa448d721e7c67bfe9e8bb10a4a85a42980715d670b30ef1492d896cc4b8b2dec29f9596a95622def860f6e30b32150dfb5ec9fa4d7

/data/user/0/com.fsms.consumer/app_bugly/map_record.txt

MD5 3c8f8000d465bdfac47f7a3627748c92
SHA1 00a3a993856da911328b917a4c8535351338dd7b
SHA256 b3c7a8e19615f6316a79710243162c75465f31eaedb139197653ba7a341d4189
SHA512 8dbabc56cf90f91f569cde9bcfb7f2a9c61d8151979d4e782083c5b662858747e28ae3670dfe89f71af58e81b3c0064044656742e1fac060224e3aef0ac8522a

/data/user/0/com.fsms.consumer/app_bugly/rqd_record.eup

MD5 0f41feb7396fd7e6d9e7983658ef7e5c
SHA1 4110cfd194e144ae94a0816a1940b237a5bede7c
SHA256 9e7c626fdd5b839f49b33edaa4d076eeacf2d95ae4fd3c3e40953e70249c0be9
SHA512 493464a851d0c3aec2018cc4dae2b613e6b8f21906978c7f87a2621b58fe84e8451d30df7cf9d8e1b0d20cf0c9069deb32d7a14d9c13730883994d9dcb5a2865

/data/user/0/com.fsms.consumer/app_bugly/sys_log_171827504994901.txt

MD5 4c6037eefb5e619746f58d2b3d9ab5d3
SHA1 54b1f00720d0e5c0114e18300358d72fbc874803
SHA256 9a901a1263936c919ac56b68bfe1c369ab1ef233a0077906959e0914832927dc
SHA512 dace93ec6bb638e662aa04dcd581d992af1d8bf777d472e36842c61b40cb8bf079fd1942ad446038da8cf467d3eea7517774f39f6d7c97418a163c157e870798

/data/user/0/com.fsms.consumer/app_bugly/rqd_record.eup

MD5 078507ea6e0ba49dcce42bcf714a5d2c
SHA1 aac3130754b46ab237deaefed3762916b790f8f0
SHA256 3db06ebebc7672b92231e9bcb6c85276347821771ffadd68e0d546a07e476529
SHA512 c2accb3a2784f2a715a416500ac740f5ce246239c263a62a2cd583e8f6bf88dd0ad07050184047757dee0c35c55c7f311e3d2e6d9aae52d8a41b87f778decbc9