Malware Analysis Report

2025-01-19 07:44

Sample ID 240614-31v9na1gpg
Target ac1fc71c27758f38f54788b00899813d_JaffaCakes118
SHA256 3dab86ae4007b8a3c0b8bea6eff0f23d94855e07ab955d784b96aabfdc4fa3a1
Tags
discovery persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

3dab86ae4007b8a3c0b8bea6eff0f23d94855e07ab955d784b96aabfdc4fa3a1

Threat Level: Shows suspicious behavior

The file ac1fc71c27758f38f54788b00899813d_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery persistence

Queries information about running processes on the device

Queries information about the current Wi-Fi connection

Reads information about phone network operator.

Requests dangerous framework permissions

Queries information about active data network

Registers a broadcast receiver at runtime (usually for listening for system events)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-14 23:59

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an application to read the user's calendar data. android.permission.READ_CALENDAR N/A N/A
Allows an application to write the user's calendar data. android.permission.WRITE_CALENDAR N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an application to see the number being dialed during an outgoing call with the option to redirect the call to a different number or abort the call altogether. android.permission.PROCESS_OUTGOING_CALLS N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 23:59

Reported

2024-06-15 00:02

Platform

android-x86-arm-20240611.1-en

Max time kernel

9s

Max time network

160s

Command Line

lthj.exchangestock

Signatures

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Processes

lthj.exchangestock

lthj.exchangestock:ipc

io.rong.push

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 stats.cn.ronghub.com udp
US 1.1.1.1:53 oc.umeng.com udp
GB 8.208.8.123:443 stats.cn.ronghub.com tcp
CN 59.82.23.79:80 oc.umeng.com tcp
US 1.1.1.1:53 nav.cn.ronghub.com udp
GB 8.208.102.120:80 nav.cn.ronghub.com tcp
GB 216.58.212.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.179.238:443 android.apis.google.com tcp

Files

/storage/emulated/0/lthj.exchangestock/cache/image/journal.tmp

MD5 8c92de9ce46d41a22f3b20f77404cc1d
SHA1 8671a6dca00edb72be47363a7071be65cf270373
SHA256 68bb33ddeed9200be85a71f70b377985f9ee68e91578afbde8321463396f1274
SHA512 30f45fe9954215d6adafcc8f0a060a7ff41963a64f9b849a37f0d18fe045038d429ec13bf15226769c4ba78dad3c52f3d9e0dbbb4fcdea4828a1efe956e48f56

/data/data/lthj.exchangestock/files/umeng_it.cache

MD5 1c3decd1f8492f2beee224562a99ace8
SHA1 3e5d496155752a8f272bb45dae0f4e2da9dbbeb9
SHA256 7cd3012bf2f1caf55aeeb57a66ae537f80464f80ae2f93e1ee253ee1f86ee115
SHA512 8cbc07f1f6e2e8bba329133713c89e5b159cfa0993c11a796210fb2d9f2d92712f3ff466074d9d0bc9d25c002e3b70c1ce684f46715cb7b0df57e0fc370415b7