Malware Analysis Report

2024-09-09 17:10

Sample ID 240614-axqwjs1gkk
Target a756c87a15cf128cfd1d8c6fb316229f_JaffaCakes118
SHA256 850454ef37d4a9ac64db5145dcb646db2fb98496444c43ace5aabe193dbdcfc5
Tags
banker discovery impact persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

850454ef37d4a9ac64db5145dcb646db2fb98496444c43ace5aabe193dbdcfc5

Threat Level: Shows suspicious behavior

The file a756c87a15cf128cfd1d8c6fb316229f_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

banker discovery impact persistence

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Queries information about running processes on the device

Requests dangerous framework permissions

Queries information about the current Wi-Fi connection

Reads information about phone network operator.

Queries information about active data network

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Registers a broadcast receiver at runtime (usually for listening for system events)

Uses Crypto APIs (Might try to encrypt user data)

Checks CPU information

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-14 00:35

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-14 00:35

Reported

2024-06-14 00:38

Platform

android-x86-arm-20240611.1-en

Max time kernel

7s

Max time network

153s

Command Line

com.xiaomi.gamecenter.sdk.service

Signatures

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.xiaomi.gamecenter.sdk.service

Network

Country Destination Domain Proto
GB 172.217.169.74:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 register.xmpush.xiaomi.com udp
NL 20.47.97.231:443 register.xmpush.xiaomi.com tcp
GB 142.250.187.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.169.46:443 android.apis.google.com tcp

Files

/data/data/com.xiaomi.gamecenter.sdk.service/databases/mistat.db-journal

MD5 863e9dd727e2e3e95cd81448e07b8ece
SHA1 b5da3e7b6b4a007b2d00207f56dfa729e946d39c
SHA256 de89c980529e6978b865683f640afc33edc9d190b97ba4e42644b3bc46769582
SHA512 7bac3f99a86f917accb28c3a1d6cb982b11ad03102f6966c705690b2909f1c22d84d066b5b42e65935fa6d236b01b5ec6a08b1ea79883c2275a6422ca5574789

/data/data/com.xiaomi.gamecenter.sdk.service/databases/mistat.db

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.xiaomi.gamecenter.sdk.service/databases/mistat.db-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.xiaomi.gamecenter.sdk.service/databases/mistat.db-wal

MD5 50ee862d8767bdb99a53f6c6a89a3d2a
SHA1 b71c8f69772457428dff183117f9bc8c28c08e4c
SHA256 befb09ce2b2341306ec9a5315c46c9021f96b6e1707877b2f3567d0b07ad30a3
SHA512 7a47b043f1bf3a7904d41481ba4cd77809c5499c5227de27587f0c16b3a7f020e9de9d42fc0611dc5af110d8e0c0b64cc4082f17785f9925f5544e45e6a9fe46

/data/data/com.xiaomi.gamecenter.sdk.service/files/xiaomi.cfg

MD5 340611b379e362128c71623c5e8da1b4
SHA1 0673cee3ec93948c5474f182f9bc0bf0dbc0076e
SHA256 ecbb19ea2633933cda78f7ff1d954581fb582f04a4ef3104c28b20c9afe65f69
SHA512 7f6aa02295b963c4f3b1f93118e5a5230d163b54faafd0efb2ce3d5a8af9f1d8327f612013332388a6e10fb851496e147e300acc4f8d79389ffbb04ca2dd7555

/data/data/com.xiaomi.gamecenter.sdk.service/files/users/0/accounts.db-journal

MD5 80245ec71619f09c960464f00093f9fb
SHA1 23408450a0b3ddd7eb96284defd91a8197042e87
SHA256 3b3063ca1f9e01d1da88970cd7da2bd337f216d87004f8d5c4b3053af79eb5a6
SHA512 9f2a0798594c4713708dbf94aa2bd32e327a177c520eac4683fac37432602d23b3176287947b4f7cd8f66683956e95b60c74ba038ffb3b6c23cdfd05b3d3ef40

/data/data/com.xiaomi.gamecenter.sdk.service/files/users/0/accounts.db-wal

MD5 2647f9895321355ff9d63b9289bb07d1
SHA1 e5576eb256d14695350a7fc803b044198abf1b0e
SHA256 8d0f6a62f6379c3fa93149b08eece1b71cbbb996ffcec4bdb7bc263003b13ee1
SHA512 3af7c0599b6e94963ebe763af5affc2c674b96df207e3764c1e268c4dc0147caa1d5797e1cd670f8c0bea7e7a4cecccc1c45532ed274ae7ab5d8e0a1624ed35e

/storage/emulated/0/mipush/log/com.xiaomi.gamecenter.sdk.service/log1.txt

MD5 5807550fd0e7ff23a010e6e75d1ae824
SHA1 0da243ce15e5a809cbddc78dfe6749b9fc4a0ae0
SHA256 061e16cfd613d6790579c0542e6bf94b42acff69da6d9c33e2af71a3ddb2e040
SHA512 f135d7f8cf356a056abc503e0be7d9f6294cddf75b4f3d2f0703988b88d501012d12ba5c194f1bcf3dcb3e45583e42207c6dd8f695032b249429e755a52595b9

/storage/emulated/0/mipush/log/com.xiaomi.gamecenter.sdk.service/log1.txt

MD5 2140ca9b3922933c6b996d534b89cd0e
SHA1 28438b0d22b8a3735430a7729b6a964a9bed3bb3
SHA256 da28df618be7795d01e32d8e0fedc464606e639e8a24e45b5b85b898a84959fe
SHA512 7158e7de2d9542ff5625bbe6fb001476a2472a3e8d3455a63f433bff7b9df7319c1e4d8e6fd4dbeec0a3d9374c5bf85eae13a5d349d960931d2b40d4125c6cb5

/storage/emulated/0/mipush/log/com.xiaomi.gamecenter.sdk.service/log1.txt

MD5 ca37ee8920ef34111090ba3a18b690f3
SHA1 c20e7e0d5ba0f752c16c3987b3f341f238f49d71
SHA256 f5f273b1c7ef1b29bf7ac01bada3aadb5327b551795651ca4d1d34727c416164
SHA512 2da188d1cb7b63f9fd37851060b58610b79308769654e529077fa787d70a2bfcc5aeaa642786ee62e00de3ba02b5ccafd9c5f0698598ba195c2a05d1fe4fd2c0

/storage/emulated/0/mipush/log/com.xiaomi.gamecenter.sdk.service/log1.txt

MD5 e22f0b924656f2b9de4a4d44a7503bee
SHA1 ee809a77b9d2582c6e742f963aecd243f936a0ea
SHA256 ca0016a1133e89e5157d6d45b51fb58176763e8e07819db04629b61b4fd1dcce
SHA512 5c789aeff4ba2a2ee9249a6f3bfc8944e3d349337b744d788dd6f4bc51b409b0bd8f8a4e699f040917832e7481908b051cbd330b668bdb804a3a95168c130122

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 00:35

Reported

2024-06-14 00:39

Platform

android-x86-arm-20240611.1-en

Max time kernel

179s

Max time network

148s

Command Line

com.ibirdgame.tank.mi

Signatures

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Description Indicator Process Target
N/A alog.umeng.com N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Reads information about phone network operator.

discovery

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Processes

com.ibirdgame.tank.mi

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.179:80 alog.umeng.com tcp
CN 121.42.53.100:8090 tcp
CN 223.109.148.176:80 alog.umeng.com tcp
GB 216.58.212.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.204.78:443 android.apis.google.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
CN 223.109.148.177:80 alog.umeng.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
US 1.1.1.1:53 alog.umeng.co udp

Files

/data/data/com.ibirdgame.tank.mi/files/mobclick_agent_cached_com.ibirdgame.tank.mi

MD5 0f9343317d435ea836514fad8d086cc1
SHA1 f485e70e611d941c7dc925a3491103e1d4b3d048
SHA256 e8a4dd385545ac0c20f1a0243be2730db3256c1f3e668bab226062afab5c8766
SHA512 a602d804b955b15190d88f49d7fa4861c9b288c6134f23b84bf4899d6e3435b9fd2ab3389d5bb1b2f60c6e5c36fe385de5aaf245a7217d5b0e128ef067e309f1