Malware Analysis Report

2024-09-09 17:09

Sample ID 240614-b8sd7a1aqf
Target a79d28816e2f1942f31b9d45863d291c_JaffaCakes118
SHA256 619b604549bfc804433a9d3e3d109e961aaa4ce6d8377ace19048a611d7cc866
Tags
banker discovery persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

619b604549bfc804433a9d3e3d109e961aaa4ce6d8377ace19048a611d7cc866

Threat Level: Shows suspicious behavior

The file a79d28816e2f1942f31b9d45863d291c_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

banker discovery persistence

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Queries information about active data network

Requests dangerous framework permissions

Queries information about the current Wi-Fi connection

Queries the mobile country code (MCC)

Reads information about phone network operator.

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks CPU information

Checks memory information

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-14 01:49

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 01:49

Reported

2024-06-14 01:52

Platform

android-x86-arm-20240611.1-en

Max time kernel

25s

Max time network

130s

Command Line

net.xunl.secretary

Signatures

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

net.xunl.secretary

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 message.ssevening.com udp
US 1.1.1.1:53 app.wapx.cn udp
US 1.1.1.1:53 app.waps.cn udp
US 1.1.1.1:53 ads.wapx.cn udp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.204.78:443 android.apis.google.com tcp
GB 216.58.212.202:443 tcp

Files

/storage/emulated/0/Android/data/cache/CacheTime.dat

MD5 3dae3fce55fa85371bc9709a59774789
SHA1 1cc9653e85088da4ed1dd325504f3f8fa293c025
SHA256 f31ad1c5805a11dee2d2bd59f0f306fe0fdd2a8c1bd133325849b186f3355922
SHA512 61ab753777c16f29cac066717a73f6892c125a61faf10968a185118f7233c5395d00094a4a6fdbf210a48f7aecb0c2d80e4ff389fcb62bb6dce8e2cf3a0ddc79

/data/data/net.xunl.secretary/files/gfagent.db-journal

MD5 ebee25d7f7873814c831028ac9b3af78
SHA1 bb9de7b7323d6027644d1236b70506622d3c94a3
SHA256 f5b9c0953b640f44007e1067abe901340d11f6390425b227d6903a371e6de530
SHA512 0939a90e58c15fa5d7cca13d6bec5252d5619eb7ad78977da0481630a67ad3e361722bf143c960246f29f42e33841104ca8aa67045ed95dcee25f668790c07b5

/data/data/net.xunl.secretary/files/gfagent.db

MD5 1a9f9400452458d4dfe9292bc005aada
SHA1 c6cb6df0b42cf2189fea45fe9c88e0f005251d54
SHA256 b90c4e82cabb22faae2b86289bf88f496ae43c3f370c8d26f61e27fc84533161
SHA512 521ba80b80ce763ee7c358aade9963b03b2a0ddc063656d766da93bc2c43b3deba379a8125c9c8c88faeee8702f48450914617cac1c9055c13725c1fa1c3fb1b

/data/data/net.xunl.secretary/files/gfagent.db-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/net.xunl.secretary/files/gfagent.db-wal

MD5 9bfe9f5f5b6eec87773ef4ea5a835ab3
SHA1 1b6c44e988b79c585f0e8b0759479a22b33958e1
SHA256 25978a3ae69e097d641a19233e8aba317e3d486ab52deae9428cd9dbe99b0f0a
SHA512 4824a160dc467654b2ca1ddb9b7c8139355f43b06e474c073c8919ea07994fbb9c40a263fd89d1664d44e41ad0fac33dd39c2a0f8377ef4ce196fcd800b9ce73

/storage/emulated/0/Android/data/cache/AppPackage.dat

MD5 5e80a3c0d601ec41a7a3f3294a18f044
SHA1 ba97818bc1d35b0fd31170fd9f4f8f7b452279a1
SHA256 ba280c15abf32d627ff1107cee721ec83b980e0faaa29af8d6a2dfd2908dc259
SHA512 3c1f9df2a11ff3a1fc66aea597b8af83dec38f0e88a8e87167a79cd58d59d6fe68537dc6f5d496f2e25e0f71bdb7186e897c53a4b7d89aa0f3e9827ae1298f37

/storage/emulated/0/.tid

MD5 67f21b466c3c2c4b0db16af247105fb5
SHA1 cc375a5ba9c315c20ea2f24fb9791cea0d20a832
SHA256 d049475d722699a5ca3ca0138a4db6468bf5b5a8c9415a25190cf81d75f29f86
SHA512 1c77069144becdb786e055084335173bd06bc631ccfac19a52e5feffc0d97c1e2d30f1069ec2999279b77dc6e43947394f4494bccd3e16107df92f7a50336651