Malware Analysis Report

2024-09-09 17:12

Sample ID 240613-pgbt1ssdpn
Target a57e1166fd2f1c2b3cb1d82784002618_JaffaCakes118
SHA256 2a02c62466f232795339b5ea7ac4aa55f0e1be7e08d4aeced32e5e66754c9550
Tags
banker discovery evasion persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

2a02c62466f232795339b5ea7ac4aa55f0e1be7e08d4aeced32e5e66754c9550

Threat Level: Shows suspicious behavior

The file a57e1166fd2f1c2b3cb1d82784002618_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

banker discovery evasion persistence

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Queries information about running processes on the device

Reads information about phone network operator.

Requests dangerous framework permissions

Listens for changes in the sensor environment (might be used to detect emulation)

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks CPU information

Checks memory information

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-13 12:17

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 12:17

Reported

2024-06-13 12:20

Platform

android-x86-arm-20240611.1-en

Max time kernel

11s

Max time network

131s

Command Line

com.popcap.pvzboss

Signatures

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Reads information about phone network operator.

discovery

Listens for changes in the sensor environment (might be used to detect emulation)

evasion
Description Indicator Process Target
Framework API call android.hardware.SensorManager.registerListener N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.popcap.pvzboss

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 216.58.201.110:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp

Files

/data/data/com.popcap.pvzboss/app_td-cache/tdandroidgame

MD5 89c859dbc505378e467969f1aa057aef
SHA1 6808531da5ee1ae79282468bde7b3d60155901cf
SHA256 8a5102c354f0509dde76aa8e2d15a2ebb82233f137257674394ddba753518612
SHA512 45fa3e66808a264552cc0faaf0073e3ea6ed24b23389765cf1fe718325df610e5020580b7802e2663f7011eb9141c37debd5dca543465f9e4582cbc0b1146835

/data/data/com.popcap.pvzboss/files/pvz.hero

MD5 024f29b20cc14464decaa24f152770bc
SHA1 45204f5a44fd4e1e394f7943cca0ed353ee334e6
SHA256 de2b9e97a2210bbea3d96693a234380348b6ee59b1522e5cbe12c17f1969986a
SHA512 b0921e8465c8ce183b7e307931bb1c907e1597433a7c0d9e9fc7faf5522bb811e6ea0537f2310b42eba8195c6668f6566378f5c9e16bf4fbe4354a4e4b66a097

/data/data/com.popcap.pvzboss/files/account.acc

MD5 9202439e883300bf1170578b2c80add7
SHA1 9af115916edc36e913c040176af50d627dfb1bda
SHA256 b6603205e35a27c05aa145d8b949c79d1195686b8a7bee1eb09ce8271caae07b
SHA512 e697b4d0ef6e6785ab0154a142784f526f2e7a22297ef9171fecdb34a6dd0d1f58fe2a03816db5f26b876fc01ef13e0dd50a09335c02e4e602121ed37d2b7a82