Malware Analysis Report

2024-09-09 17:34

Sample ID 240613-n33n7a1hlm
Target a568a3b09bef53ecb25a2b70c929d27c_JaffaCakes118
SHA256 1105f0b880e6df5119e046d3b379f56dda5d9278e57724176648214dd4c95853
Tags
discovery
score
6/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
6/10

SHA256

1105f0b880e6df5119e046d3b379f56dda5d9278e57724176648214dd4c95853

Threat Level: Shows suspicious behavior

The file a568a3b09bef53ecb25a2b70c929d27c_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery

Declares services with permission to bind to the system

Requests dangerous framework permissions

Queries information about active data network

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-13 11:56

Signatures

Declares services with permission to bind to the system

Description Indicator Process Target
Required by remote views services to bind with the system. Allows apps to share and display views across different processes. android.permission.BIND_REMOTEVIEWS N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 11:56

Reported

2024-06-13 11:59

Platform

android-x86-arm-20240611.1-en

Max time kernel

7s

Max time network

159s

Command Line

com.samruston.weather

Signatures

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Processes

com.samruston.weather

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 geomobileservices-pa.googleapis.com udp
GB 216.58.204.74:443 geomobileservices-pa.googleapis.com tcp
GB 142.250.180.10:443 geomobileservices-pa.googleapis.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 www.samruston.co.uk udp
DE 35.156.224.161:80 www.samruston.co.uk tcp
DE 35.156.224.161:443 www.samruston.co.uk tcp
US 1.1.1.1:53 samruston.co.uk udp
DE 3.70.101.28:443 samruston.co.uk tcp
GB 216.58.201.110:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
GB 216.58.212.202:443 semanticlocation-pa.googleapis.com tcp
GB 216.58.212.202:443 semanticlocation-pa.googleapis.com tcp

Files

/data/data/com.samruston.weather/files/places.json

MD5 26a6f3c5c6b5bcd0c182e84147dfd271
SHA1 dbaa1bfed460eb052f9e0b191bf8f02ba693077c
SHA256 383eceb5919c6a17db42d4aa6ed3a910b0abd20b52d61e11982e4871e5759217
SHA512 3077cda627950ff40e7c0e4caa3051b1d1dff223e94049ea3fb8f9ba691d86284856d037b363e3304d0ee1dc5aa34874da81f751946c4326c8d215f0c0404e15

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 11:56

Reported

2024-06-13 11:59

Platform

android-x64-arm64-20240611.1-en

Max time kernel

7s

Max time network

132s

Command Line

com.samruston.weather

Signatures

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Processes

com.samruston.weather

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 216.58.204.78:443 tcp
GB 216.58.204.78:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.204.78:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.204.72:443 ssl.google-analytics.com tcp
GB 142.250.178.4:443 tcp
GB 142.250.178.4:443 tcp

Files

/data/user/0/com.samruston.weather/files/places.json

MD5 d751713988987e9331980363e24189ce
SHA1 97d170e1550eee4afc0af065b78cda302a97674c
SHA256 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512 b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af