Malware Analysis Report

2024-09-09 17:12

Sample ID 240613-pkbcnasepq
Target a5830587d4873b74a9b8b98762194520_JaffaCakes118
SHA256 dfd4bdadfb301e1a6901dd4f5aa59f021662c13c06d10b1e9f8360ac04a60779
Tags
banker discovery persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

dfd4bdadfb301e1a6901dd4f5aa59f021662c13c06d10b1e9f8360ac04a60779

Threat Level: Shows suspicious behavior

The file a5830587d4873b74a9b8b98762194520_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

banker discovery persistence

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Queries information about running processes on the device

Queries information about active data network

Queries the mobile country code (MCC)

Requests dangerous framework permissions

Queries information about the current Wi-Fi connection

Reads information about phone network operator.

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks memory information

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-13 12:22

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 12:22

Reported

2024-06-13 12:25

Platform

android-x86-arm-20240611.1-en

Max time kernel

123s

Max time network

158s

Command Line

com.yxxinglin.xzid419785

Signatures

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.yxxinglin.xzid419785

su -c id

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 www.oozhushou.com udp
US 70.32.1.32:80 www.oozhushou.com tcp
US 70.32.1.32:80 www.oozhushou.com tcp
US 70.32.1.32:80 www.oozhushou.com tcp
GB 216.58.212.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp

Files

/data/data/com.yxxinglin.xzid419785/helper/menu.sys

MD5 ffb5fbc15c94cce56567254251c92637
SHA1 9aadfae588a6dc1bc4776d518a26c2a47e9fde3a
SHA256 22d2bd6cd13a10a37562e445a435094c2dacd9d8dea5bb103282330495e01142
SHA512 254f930dd6ac90c37aeb05dd4b4265ee3ff77eab2893a76875d0dea1c6b7a0ce15bfd799c7c3ff7a253a178dc6a8640126acd938c676896edf172d12c99f7973

/data/data/com.yxxinglin.xzid419785/files/TDtcagent.db-journal

MD5 2a56b4794ddbf3a9e0db6a4effe3242e
SHA1 6438b3cfe14a96c51f55b6276dfbed7b446c130e
SHA256 a9909924f28c99155853f0063b3a7772b86473909a72d81cd0e236738a4fa441
SHA512 d8c2a5fee658e4ed67d1c99ce0cb90bb49cde1ac443c347e4657851fdc2550fda865f707e625760d3caa8be0573059989749b00e6bc7385b1df2e3531f4bd783

/data/data/com.yxxinglin.xzid419785/files/TDtcagent.db

MD5 1a39c236d4f3255b4b933a1386a1b56e
SHA1 5c4d742166e361a98796924f9d0455e43ece1ad0
SHA256 cd5c158fb0c9c88e0bc0ca47b107cf147094939a06e6da9dae7d10cffe14e8f7
SHA512 3cf34fc0b5f5e332240dbe4784f123ca9a7b7ef8b76fa60c8e19daa817a9d1b0694f0b8729478d7dfac50bf4eb658020d315f6bacac827d8126e74a2cedc9bf4

/data/data/com.yxxinglin.xzid419785/files/TDtcagent.db-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.yxxinglin.xzid419785/files/TDtcagent.db-wal

MD5 5d8e25e08673b19fe8256e2b95395109
SHA1 f9aef2994ab2067143ba326f949f28f5463a6dd3
SHA256 896720aaa113b7b14ee1e096c42166d2dd7993c6e8f6fb495419f2a68741c501
SHA512 d157ed7987fde6c91cb2a680e1731ab44303e889870e550458ae334be077ee66c3dd0e74e3a6776098baf2e656c8e0d2da3a6126f40d92e0fc8a88f576750408

/data/data/com.yxxinglin.xzid419785/files/TDtcagent.db-wal

MD5 ad37bb8ccf4ecce44d2619e08b52f96c
SHA1 cbd199fb2b5081b9cf0532ecb053f4db5674cad7
SHA256 540deb79213a1db7aac0d3cffe7f93c3d9eb1e55ce001aea86d5f992b4702710
SHA512 f8af1984ad3cced7a0dfebedc7cd9b0db569503ae494e2cf04dae3b9bafab30a374f5eb3fff6cb944c14bfaa122ddad45cd082afe60b576836a125cc37e1369c

/data/data/com.yxxinglin.xzid419785/files/TDtcagent.db

MD5 7e6250883c45b887ccaa10402c63bf7f
SHA1 3fa431da809e2e8e04f26c1f38b93c03846a3c67
SHA256 ac23b23f88ef95e6c16b422a275906b5fa027e9150bffa81a26ab152fd1f7c03
SHA512 6caa1f2cccabcc4b6ebea49a15ff056d76ff5cb66f6420572fc53565fbc70a75766b760c6a8fcbe0ec536c26aff9ffe4d9118c471de131e42de1335e520e839d

/data/data/com.yxxinglin.xzid419785/files/TDtcagent.db-wal

MD5 adf7d889e201e1eae986c006bb351885
SHA1 56899a279c8663d5c97de434d6047378e6ac62d0
SHA256 bf5dd4cb6222e95032b82faab40f986dcdc244e1033c8f364fda8ccb2e295697
SHA512 2e3e0340bc7459d62e8c5b69198c39f61ad1e28a56f5102e27bd5af8772c2c16900ee45dd4dad72272e5520549c7c79ca5192ed1ead0f401e265378419729acd

/data/data/com.yxxinglin.xzid419785/files/TDtcagent.db

MD5 21167068b0e36b34de2e570664cff955
SHA1 2f03175a41edf6623863f030d75e9665c560cabf
SHA256 83b691a55e810ada513e3a3806d70c2888a840c54f2d737dc19c4c53413b3609
SHA512 24231d2d40bf7ee8aeea31325b23886b72f5ec32be2211aaa2335f53356dabb62841090cf99c6d4a75236433fc0d5dc724edece4834dcbf8bc422328151ea72c

/data/data/com.yxxinglin.xzid419785/files/TDtcagent.db-wal

MD5 44fadbf6239b9056803a897d2339a0a8
SHA1 389acf607d43f130dd43188d1f86d27be1422e1b
SHA256 9314a652b21cd5fa2e8b4a08fc57cbca6e99bf07010eab9205e58ae4116f2170
SHA512 515e7b210dbff92f25166942f0ff3c40d844f75074d752af146ecc9876bdc6bfcb409e33a1b746bc975fd26b30b467a2bb3da169c1675af039fd2c3e2eeb0f7b

/data/data/com.yxxinglin.xzid419785/files/TDtcagent.db

MD5 f95044745969f3bd03122d9ca854a3f3
SHA1 f5bfa5e23f18ba6a127b6c540a96f7b835c541c7
SHA256 b6f13eb6b3a417ca8e76233193aadc8d69195d0947ffeb85ad9e43fe8523e708
SHA512 13a3944e93d5edb084965e77de0d9385023c6ba2ef8511eb07c2511dff20db960c1c149747fb5c87a9d560f3c70c5dab7b4409d92f67b16b1dbd1b3640a6e6cc

/data/data/com.yxxinglin.xzid419785/databases/hhassitant.db-journal

MD5 69a176f85eed30d7f832a40305727b42
SHA1 05098d11c287d61bf766898e00fc19dd46af15e1
SHA256 7cf24dde026c7c31a4baba693429491c4d3d440017b485df5938f30fd37a96af
SHA512 6ec9fa6d913c3be9a81fb3dc40a409f9f72f72e19ecb1ade925a200f40161276f65ef92ee2cc5d9b307ef15760334fcac5ef466f01ccc3b87b0328931ae0fa28

/data/data/com.yxxinglin.xzid419785/databases/hhassitant.db

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.yxxinglin.xzid419785/databases/hhassitant.db-wal

MD5 16e9c4b0fea8636b147aadad6f89e65c
SHA1 e842b523ed4cc1871119ee5f3172d54f9d25ad95
SHA256 61ccd27113a55d48308126a430b85fba134fc147085a4a1dbcc0407f85d7f4e5
SHA512 d09b038512cc979c7cf3bb29f40d3498b86d9f5af6d1e52d5edeed5ac6f9873674434f6d1b7324484104b6e15842df74fecd17301aad34e5408dabd2e2285224

/data/data/com.yxxinglin.xzid419785/files/TDtcagent.db-wal

MD5 71908a3c609bc2be9ffd51a40154fe28
SHA1 39714c91db85f7fb9ac39006e9f77d9e80ebbaf0
SHA256 19adbe79b7723b03e186460f7df35c61215d07a5cc7bb1ce7e39a5258221c052
SHA512 72a3a3e5506c8e516c4feb9211e18a1886f163ed7e1fbbd37ec389ddf281cd08424fdf316e133b28e8cfe21655677364fe99fcb9eb345578b89a044f39191f6f

/data/data/com.yxxinglin.xzid419785/files/TDtcagent.db

MD5 0b9ec27a2e505bfd7ddb692f074e5c1f
SHA1 208c9e0fc24286fa0e49ac7432f7885b312fd97e
SHA256 8be3b2345da6660fb6f137717457cd6c73c5e306a314aaf3f471db2a3e85e25f
SHA512 24171e895a08a8d7d5fc35f60c27ffc52d1091aeb1fbf1f0b3284f1adbd4e52b7d5dd25e744adf8c3887ed15241f70d63172c3da3d8bc098914564dfe978c9f3

/data/data/com.yxxinglin.xzid419785/files/TDtcagent.db-wal

MD5 66bc0aab0e20763787b3d2b470a4c827
SHA1 7f75a0ad47a375e97656fb0f950c2a7f02e3f351
SHA256 e7c5f6e910bb6f32c4b918264abf6e9dc4f0083417f71adeab88514b1dc53c95
SHA512 44e42303fe009cab4be40f24847cad9e0a38944edb2c2fef27095c94c420f833213d63784d5894e015cb855110fe6ea31ed8a0fd122eef6e4c742a91b1b67346

/data/data/com.yxxinglin.xzid419785/files/TDtcagent.db

MD5 538a0ef804f4bdb9e569fa598ee78b07
SHA1 68ebb4f55b854e8ee0e1453eccf86df4af5a57f6
SHA256 110d67de2b708accdcc790599fe173d7a055b591689407fcff513466cb366127
SHA512 d5fd1b30693336fc000b7c4722bd5654449aa0ca1742723a64579c01b10fb4e47963c621361b57e910aeddcb88cd79e7b1337e6e899cfb0b95eb2bfa3c38bee1