Malware Analysis Report

2024-09-09 17:18

Sample ID 240614-an8d8sxdng
Target a74b5f768ff71f0607f06016e28baac9_JaffaCakes118
SHA256 59c9f08faaad1a89a358f69361b98909d6497640f692d533e927701cc25c9588
Tags
discovery evasion persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

59c9f08faaad1a89a358f69361b98909d6497640f692d533e927701cc25c9588

Threat Level: Likely malicious

The file a74b5f768ff71f0607f06016e28baac9_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

discovery evasion persistence

Checks if the Android device is rooted.

Queries information about running processes on the device

Requests dangerous framework permissions

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks memory information

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-14 00:22

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to see the number being dialed during an outgoing call with the option to redirect the call to a different number or abort the call altogether. android.permission.PROCESS_OUTGOING_CALLS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 00:22

Reported

2024-06-14 00:26

Platform

android-x86-arm-20240611.1-en

Max time kernel

6s

Max time network

140s

Command Line

com.nd.up91.p71

Signatures

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /system/app/Superuser.apk N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.nd.up91.p71

Network

Country Destination Domain Proto
GB 142.250.180.14:443 tcp
N/A 224.0.0.251:5353 udp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.179.238:443 android.apis.google.com tcp

Files

/data/data/com.nd.up91.p71/app_crashrecord/1004

MD5 7c7407701e34caae6e2066334182e92c
SHA1 1bd7c42e84877b2263048d1b7612ae32b0d4bfdd
SHA256 950b0679ebc1806c2e7bc7a0951b2d571976b3fd82155a39e010d0d316f6468e
SHA512 2b973c9b6e6c6877c5ca70e625320978e1e9fd6d37d7ea0b01b8464ee74391db35bf25517bee89870f2c4d7cb912247c77bbd9bd555a5d2d6a2e6ff9d2ec8032

/data/data/com.nd.up91.p71/databases/bugly_db_-journal

MD5 517863502240a7b975790f6a2dc9165d
SHA1 08cde592c7eb78516ebfa00b46b51f44064fee3a
SHA256 15a7a6d95b78b152f61d6a30bf89db3addb352c068b88bdfed0456706a6ad3f6
SHA512 adc6f158351d9473a7955667450ebf04ca1b5bf0584518ecedf7e020dbec8bc08a3a5559bab233c7cbe39742e09015a961b33aa8c8ccb870de0577631914f6da

/data/data/com.nd.up91.p71/databases/bugly_db_

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.nd.up91.p71/databases/bugly_db_-shm

MD5 cf845a781c107ec1346e849c9dd1b7e8
SHA1 b44ccc7f7d519352422e59ee8b0bdbac881768a7
SHA256 18619b678a5c207a971a0aa931604f48162e307c57ecdec450d5f095fe9f32c7
SHA512 4802861ea06dc7fb85229a3c8f04e707a084f1ba516510c6f269821b33c8ee4ebf495258fe5bee4850668a5aac1a45f0edf51580da13b7ee160a29d067c67612

/data/data/com.nd.up91.p71/databases/bugly_db_-wal

MD5 ebaafad59828d936b32a67092ce0633b
SHA1 f77bed9321fb390b6350bed009e0645f4744821a
SHA256 90be17e830dc7ce7520a4b0525a3488e09ad157c1a3dc02447a733a51cdd5139
SHA512 bbb179f51c6bc60e9f858772a82df0b54a57962c2d359ef7502529ce9796ee863f6716884fba65c87973862a4d8461c21d951595fc21b24c1d5c3dc687e481e8

/data/data/com.nd.up91.p71/app_crashrecord/1004

MD5 0d210bfb2a0e1f1b4c082a6a0f79de07
SHA1 bb8ed9e364db79d1d9f2fcde3f15091893222faa
SHA256 988722c23d78a46021d0e7ca9deee7aa8bb83288269174ffacb7316f381cca1d
SHA512 536e9867b0df29b15b789f8949be6ab37fcdeccb9d39ded981da7dc2052c9533d0ec0e6f9a5444132977605d372e1463d91bdde41b528ff2ca3f65ab152325c1

/data/data/com.nd.up91.p71/app_crashrecord/1002

MD5 8cf08b47ad57327fdaf17000c698e905
SHA1 9c5533c27bd020e764b75dcbea912e9e11d175bc
SHA256 749f85a214665ece23004bc858f2193e924e793350d5d31c56cd2253e6649cca
SHA512 d81cbcb0366a0d94d174efd683a5dcbd9144ae1f22ac7f2366302adf71ffbea6bc6327871bf9d0b2ef9aa158d25f2c45d977d2e92a040ba1174f722141c33e74

/data/data/com.nd.up91.p71/databases/datalayer.db-journal

MD5 1e84bba1c8a2437ac0345cc2160fe00a
SHA1 76114a7b7afa95e7ad1186050a817b21e0e5038c
SHA256 5c4a14978ebb1a01b2f3a0a56b8de9f0b0ad81e6cf798c74ab766c596baf567a
SHA512 96ec84d44ec85654d77f49cfcd7dc5810d97c0e6b1a0aac825ea68a7f1f23184cbf4b22b8843199ede2889fd49c3a4a176e8dfa4c517259b71c1e695f01af487

/data/data/com.nd.up91.p71/databases/datalayer.db-wal

MD5 0c4559b016d49fd5b912d9a888c43476
SHA1 6818a50c20aa839cfeba06042344015e645c7bfd
SHA256 318c2f1a13a90879aeb2c1b39d64fcb1f90de3ab4c98334a0a27bb32406d5001
SHA512 d5f74179f6f9f79f06eda51912041deb6713ceea2b57d25e1f279e9d608384a28a19053ed99f6fc982a79923f54aa1ba2257aeb1fd5e111f5b4b68a76b320958

/data/data/com.nd.up91.p71/databases/UcAccount.db-journal

MD5 e1cf135b6f1df68221662dd69063a47b
SHA1 90cf8b5116d8496650db9dc6aa596659f2b161b3
SHA256 527b0e1982b4288ee5718c8e9a3147e5ab94672bb832981a59c42dea46180dca
SHA512 fb04d94976e32979a5cdc51f2190ff1b06dcac8b468deab8a298418b8cd86729fe467986c58797a3468220c15cf5e34d79620e75255b466a685f7a71205fa271

/data/data/com.nd.up91.p71/databases/UcAccount.db-wal

MD5 4f1ebd74508ff6cc0e6b52fa1dcba3e0
SHA1 a824058a3bc34677f3d9b5b9ccf88fc3c8414aaf
SHA256 b85d7f6ff0f1646f132b39a25e2851bfa84dbc53966545791f111580e8909ccb
SHA512 5768a4fcda42ec9128825e76a1a954a4ebdfce798162dfe4e8c29cc7c1e197a45002b331b13e3fb1a0d6bc2e1b68079fec4b2d0fdfef66b8e1bb892bd8297926