Malware Analysis Report

2025-01-19 07:44

Sample ID 240614-3ry9ysvejm
Target ac10f5177effa07c3a6ebcc96be49ca4_JaffaCakes118
SHA256 f293f483b73d53a34e54897c85b57b8e678fc27e6e815db7528ed056170c26ee
Tags
discovery evasion persistence
score
6/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
6/10

SHA256

f293f483b73d53a34e54897c85b57b8e678fc27e6e815db7528ed056170c26ee

Threat Level: Shows suspicious behavior

The file ac10f5177effa07c3a6ebcc96be49ca4_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery evasion persistence

Queries information about active data network

Reads information about phone network operator.

Requests dangerous framework permissions

Makes use of the framework's foreground persistence service

Registers a broadcast receiver at runtime (usually for listening for system events)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-14 23:45

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 23:45

Reported

2024-06-14 23:48

Platform

android-x86-arm-20240611.1-en

Max time kernel

167s

Max time network

138s

Command Line

com.roboo.wams

Signatures

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Processes

com.roboo.wams

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 s.jpush.cn udp
CN 1.92.70.140:19000 s.jpush.cn udp
US 1.1.1.1:53 wams.roboo.com udp
CN 1.92.70.140:80 s.jpush.cn udp
US 1.1.1.1:53 im.jpush.cn udp
CN 106.75.55.8:3000 im.jpush.cn tcp
GB 216.58.212.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp

Files

/data/data/com.roboo.wams/databases/rep.db-journal

MD5 66106c68da391e26759e099b5869d341
SHA1 733d331616d7662934ed489ba4a59a61ea59095c
SHA256 f57169f0753f4fa08951b3973868d325ded42fe3c325bdb2b2eca2c869611a4f
SHA512 1affacf0dfcb7f427e0e08b93a9ab4961461ba0b6cbbd8050de5f8a9684ded18d2da09a8900965817dc8af3e73710a9da343e96eb29ddcfdf85476d3756f656b

/data/data/com.roboo.wams/databases/rep.db

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.roboo.wams/databases/rep.db-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.roboo.wams/databases/rep.db-wal

MD5 844962a1845ac39947db7b38aa161388
SHA1 a90afe1942bc6d08ff997e11213765ce21644d73
SHA256 7134fb29fe4d1a838cc184690210d7f9bb7dceb840734fc3abb2e68caf2ec980
SHA512 3b837c21eb4095b35426fa837ac1003275d39c70bbbe79ea0fdbf9525630f7816827b89543719c4b1aef9dfc378471b2de4908c5d1afa58581b5ea701250c9a7