Malware Analysis Report

2024-09-09 13:40

Sample ID 240614-bljtjashpn
Target a77b30b6c272d3ae2cd35d346b55ed31_JaffaCakes118
SHA256 1f8da7d30f433a8e8d477064f9a2490c7174675e0d095c7f1aed86f265065cff
Tags
discovery evasion impact persistence stealth trojan collection credential_access
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

1f8da7d30f433a8e8d477064f9a2490c7174675e0d095c7f1aed86f265065cff

Threat Level: Likely malicious

The file a77b30b6c272d3ae2cd35d346b55ed31_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

discovery evasion impact persistence stealth trojan collection credential_access

Checks if the Android device is rooted.

Removes its main activity from the application launcher

Obtains sensitive information copied to the device clipboard

Loads dropped Dex/Jar

Queries information about running processes on the device

Requests dangerous framework permissions

Queries the mobile country code (MCC)

Uses Crypto APIs (Might try to encrypt user data)

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks CPU information

Checks memory information

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-14 01:13

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 01:13

Reported

2024-06-14 01:17

Platform

android-x86-arm-20240611.1-en

Max time kernel

27s

Max time network

159s

Command Line

net.croz.myWay

Signatures

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /system/app/Superuser.apk N/A N/A

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/net.croz.myWay/cache/1582435991586.jar N/A N/A
N/A /data/user/0/net.croz.myWay/cache/1582435991586.jar N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

net.croz.myWay

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/net.croz.myWay/cache/1582435991586.jar --output-vdex-fd=77 --oat-fd=78 --oat-location=/data/user/0/net.croz.myWay/cache/oat/x86/1582435991586.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 googleads.g.doubleclick.net udp
GB 216.58.212.194:443 googleads.g.doubleclick.net tcp
GB 216.58.212.194:443 googleads.g.doubleclick.net tcp
GB 216.58.212.194:443 googleads.g.doubleclick.net tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.212.200:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 216.58.201.106:443 semanticlocation-pa.googleapis.com tcp
GB 216.58.212.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.212.238:443 android.apis.google.com tcp

Files

/data/data/net.croz.myWay/files/sPOUXYqrT

MD5 cdc114f56c1c6125551ed5e0f0de38e3
SHA1 db05657a4d297de8d7cc454cd3b71fbe7f72ea6b
SHA256 9626dce3db302c68dd7cf01e8dde3f4bfa90548b9d4ea48ce3dad573a222a3bd
SHA512 5acdd9366af521680407f2ea0711838d4975cfb49fa9527777c84bd6b0ddf40c536781af85760ece5d43a250302a0c11519eaafb3aef8e5f25b77a346443b12d

/data/data/net.croz.myWay/files/sPOUXYqrT

MD5 19b7c99ac04dd224145f8631775eff89
SHA1 3173ad2b30274b5688560913d53cc707980f1d69
SHA256 1b11ec746718eed28856974799740671b16e196b78cf7a6cd9ef9abaaa7315d1
SHA512 57a1781ef5f26efcb8c2536034ebaf5bbcb4181dae988cfa7cc119c90050be046bc67a32369d1846adbc85b668e3e96a456335c2a6852212ee74e936de240443

/data/data/net.croz.myWay/databases/rg.stocks.positions.db-journal

MD5 007cdd1880ed57c3fcc083e2d39418fc
SHA1 a19a840400f112c536af2941c43aedd59a83d6de
SHA256 c4c1e63a3f09cf7cd4ed75bd55f74392b373bab31bf10b4ed677369b9492f5de
SHA512 50aea4a4214c90790289b92aec2b292b250ab6fdde4d23c72152e12a2ac393e10861e0fe70c47c453cd5bc9ea394c6dbf02d78a5b24291c857750350e2f49169

/data/data/net.croz.myWay/databases/rg.stocks.positions.db

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/net.croz.myWay/databases/rg.stocks.positions.db-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/net.croz.myWay/databases/rg.stocks.positions.db-wal

MD5 ad6320e69161269e40f4d6d2f25e345b
SHA1 65702ed179ac87017b49c876bc45a38ce291c09f
SHA256 478b46614a6b7dd4d590143f1e2725515aa22941cea963ef2d85b49024109c03
SHA512 56529be2d5fb1171df03f27cdd0bc85f41ce766f0485c33d7aa1e8e233ea06a24fe52b1fbbad7734ad88de4e0e663c3d35b56b4776f8a299035246e36ef9b2ee

/data/data/net.croz.myWay/files/gaClientId

MD5 02fcb55baf19b0ecf267278271dfedb9
SHA1 067af9b84845622a890a1ab507481a34c0671865
SHA256 0655158b41f4015dbfd4590a5117b3e88c14d00605592144a7b1cdf88c518bd5
SHA512 f8af42845e13170fb5a0d21fcec5f480575b528b1b5b3fc460e140555a163229facabd1d02601d92990cc5911bd0c1c780a2ccc7f4f3eeb686868e4158118cbc

/data/data/net.croz.myWay/cache/1582435991586.jar

MD5 e8e0527a01aefdb89afd2c508f131da1
SHA1 f1103e6b260c657ceb3d95f1b023af3fda8b133a
SHA256 f809447486f89fcaa74f87e06d126d103d37eb2b3157e88f2c06d989b2c284ce
SHA512 fb53683a83f1068d0f94567b156e6a8910c45b1b5f33db919f7e0b9c55eab28507a235ef76d44d5b549599ea3b54dbc00496a633339d276a80f395da938d6d34

/data/user/0/net.croz.myWay/cache/1582435991586.jar

MD5 fde2ee00cbd121cfab5290b078aa3ceb
SHA1 e2b77d5320e155e413d040a8c20020962065b2f8
SHA256 2897b0812077c654a9b3fbb0b6303d5cde681eeba7ad9981de65716c7810d685
SHA512 a9326aff8e454a2b4ac09984ef2a65fddd4dc146b4c44d839035549bff8c9fdaae490326d0b018f76c1ca2e4fb25426d74f550ca0950982fba632a023af99a56

/data/user/0/net.croz.myWay/cache/1582435991586.jar

MD5 2048eb6124a452540ee51dae4145aadf
SHA1 d05005b2cd7fe4cd652b0d7fd1bdac2c19d51451
SHA256 105c54b6fe3f25350e92187467761598e4c21d62b1091b77d091f65f3bd98864
SHA512 bb6cb3853dd2a5d0701e20607d4e153ae201268dd2e5e2d06cc2df208b3b4dc50132a4ab428251b1644d2399fcc717662438d082ff14203387bab8794109d44d

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-14 01:13

Reported

2024-06-14 01:17

Platform

android-x64-20240611.1-en

Max time kernel

8s

Max time network

134s

Command Line

net.croz.myWay

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Processes

net.croz.myWay

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.179.234:443 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.187.200:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.212.206:443 android.apis.google.com tcp
GB 142.250.200.14:443 tcp
GB 172.217.169.66:443 tcp
GB 216.58.201.100:443 tcp
GB 216.58.201.100:443 tcp
GB 216.58.204.78:443 tcp

Files

/data/data/net.croz.myWay/files/sPOUXYqrT

MD5 cdc114f56c1c6125551ed5e0f0de38e3
SHA1 db05657a4d297de8d7cc454cd3b71fbe7f72ea6b
SHA256 9626dce3db302c68dd7cf01e8dde3f4bfa90548b9d4ea48ce3dad573a222a3bd
SHA512 5acdd9366af521680407f2ea0711838d4975cfb49fa9527777c84bd6b0ddf40c536781af85760ece5d43a250302a0c11519eaafb3aef8e5f25b77a346443b12d

/data/data/net.croz.myWay/files/sPOUXYqrT

MD5 19b7c99ac04dd224145f8631775eff89
SHA1 3173ad2b30274b5688560913d53cc707980f1d69
SHA256 1b11ec746718eed28856974799740671b16e196b78cf7a6cd9ef9abaaa7315d1
SHA512 57a1781ef5f26efcb8c2536034ebaf5bbcb4181dae988cfa7cc119c90050be046bc67a32369d1846adbc85b668e3e96a456335c2a6852212ee74e936de240443

/data/data/net.croz.myWay/files/gaClientId

MD5 8a312602d1698fa4130e308f9cef5bb7
SHA1 5289a3cd8066dc3dd869dd84093fcc40bd6387b6
SHA256 66cd4ca7e9f6d83f3a777848019e84cbc333ba749764789bf4865fad355cbfd4
SHA512 b8503349681a7f9d1aad1888155f43e6d62d255aea0fb68434bfc4da4724b60ca06fc7f693d46d6b6e7f5904c663ea31957d1e90461549cd671ee1575833edcc

/data/data/net.croz.myWay/databases/rg.stocks.positions.db-journal

MD5 9cd17399e1f71eebe0a359173a53383a
SHA1 ebcad6807e307999399a96b8b333682c8940c3fd
SHA256 1ec600c145c849bdeb2de3c1badc284bbf40608e0566418725e5a4f2bf7f3f22
SHA512 d2600940414cea1b86849ed537180d2c68b29f4f2d19fa34085f406777b83ee9c14227a65a4462506707fd838342952e98413f0453ca02259ca89a4d45864f08

/data/data/net.croz.myWay/databases/rg.stocks.positions.db

MD5 0264beddffaa7477b7bc80c41977ddd1
SHA1 065238021ddf1afe32083f81bc6990fba46cb667
SHA256 ff81e1c664ea6ef6c93f8bc4bbe4ea953209e596edea64e367df10c7321bfafc
SHA512 16f890fedc115582852f0204b7f8dc3b49872125eb92c0c6419749209b76c5a905acb6fa0ed194a75e271279e3828ee777b199f6ee4ea9f1065a1882ea5b700c

/data/data/net.croz.myWay/databases/rg.stocks.positions.db-journal

MD5 d31a6221cd9760dcf0ca26d815173ef4
SHA1 ce6f22d3e10d01a1322128ea15146e2af0e5a987
SHA256 9fa5dee15a6865fcac0d89a08eceb1459b1ec3296b59360e7202f669947284ca
SHA512 0cd940389c130eb859a57fad2a132aa9785f62676a6752a2c8ea976e3f6c024deec31e4a6924b0695c3d585e90bff5c93cdc8aeb5ab985feeed58e8a2f83115b

/data/data/net.croz.myWay/databases/rg.stocks.positions.db-journal

MD5 add54020c9b08f19683ef09d7e4cbbdf
SHA1 3129c45b4a6aae7005ff4858edbf74fc04dc41dc
SHA256 6f4accb51b0b9ae071a8cce016fa36281f628dbe3812056f28fd8918d405e0e9
SHA512 893a993e65d998e7e55a2e9552ff6a43a51417666a06a6c5ebc18cdddb35e495a94dc90e02f80f4329ece6f4bfd1c7eec16f9ff20ba0f3a297ae92ba1e76f987

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-14 01:13

Reported

2024-06-14 01:17

Platform

android-x64-arm64-20240611.1-en

Max time kernel

75s

Max time network

163s

Command Line

net.croz.myWay

Signatures

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /system/app/Superuser.apk N/A N/A

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/net.croz.myWay/cache/1582435991586.jar N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

net.croz.myWay

Network

Country Destination Domain Proto
GB 142.250.187.206:443 tcp
GB 142.250.187.206:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.187.232:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 googleads.g.doubleclick.net udp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 tcp
GB 216.58.201.110:443 tcp
GB 142.250.179.226:443 tcp

Files

/data/user/0/net.croz.myWay/files/sPOUXYqrT

MD5 cdc114f56c1c6125551ed5e0f0de38e3
SHA1 db05657a4d297de8d7cc454cd3b71fbe7f72ea6b
SHA256 9626dce3db302c68dd7cf01e8dde3f4bfa90548b9d4ea48ce3dad573a222a3bd
SHA512 5acdd9366af521680407f2ea0711838d4975cfb49fa9527777c84bd6b0ddf40c536781af85760ece5d43a250302a0c11519eaafb3aef8e5f25b77a346443b12d

/data/user/0/net.croz.myWay/files/sPOUXYqrT

MD5 19b7c99ac04dd224145f8631775eff89
SHA1 3173ad2b30274b5688560913d53cc707980f1d69
SHA256 1b11ec746718eed28856974799740671b16e196b78cf7a6cd9ef9abaaa7315d1
SHA512 57a1781ef5f26efcb8c2536034ebaf5bbcb4181dae988cfa7cc119c90050be046bc67a32369d1846adbc85b668e3e96a456335c2a6852212ee74e936de240443

/data/user/0/net.croz.myWay/databases/rg.stocks.positions.db-journal

MD5 c8fd37e4c92aa3719e00037755f2f5d9
SHA1 b77043a92e29f090ae03236d53e1d48269c3678b
SHA256 b866b3fa457081edcf4a213586733f3aca78e0e3837c5468d4d67dce8732912f
SHA512 2ba09fca05c1ac6df954860877a25ffe7e08a4e44755e76c44262970fd1dc80590401606a5bdf16602038f7eba74812ee240eaf7c7ed779fbadad9e932435d61

/data/user/0/net.croz.myWay/databases/rg.stocks.positions.db

MD5 d92935cda043d816ea5eb716a76e2905
SHA1 63f962205f78163f25ba10d460089781e97405d3
SHA256 8ad81f83f74b3491dbc5ac6a4ef08e76f3d1562d584ccb79ec63971adea7320e
SHA512 b861a9fd25897f199e5327941f60f87368fc6ddb9ee963d499f6420cce153450ca68ff49ef9a478311298d0d2da752834f6562ec9335f01d14483f9d200bcf23

/data/user/0/net.croz.myWay/files/gaClientId

MD5 751a8c6f45db0637e4400685ea1c3502
SHA1 05688d4477e51536bb4a7fb2ff3e1ffa3af53733
SHA256 e9155c96b8db4a70e78197da9bc0eeba847ee2c0261aeaaa35b9c68f940dc869
SHA512 67b7d56f26d887289cc8679fcb62c024996f8395a6d6eee3e6da04e44425b33335ec8232eae21b0aa0c2004d7a6d5c86519e12650fdea29c8b790574aaab7020

/data/user/0/net.croz.myWay/databases/rg.stocks.positions.db-journal

MD5 7e96600f6f9eda45030695bfba3690e5
SHA1 aaccdfc8757da02998983467fc69a9f2ee2384d0
SHA256 9153bd81cb151a6274b9aa4f6d343762cea731384475f8f0e5e0c1946fb20463
SHA512 0a38d6c9bc74c89b74dcf53106f3a0cbf067808f383586bcdc29967209ede851cce28cd1bfea0517d6a79c5e6e5ce33e9e17e998877ce1433114705192ed40eb

/data/user/0/net.croz.myWay/databases/rg.stocks.positions.db-journal

MD5 0101a2cb6f5090d979205692b0bd5c3a
SHA1 2ae2b30147341794602a382608fd6b6e98edc645
SHA256 43ca6dc2a601985ba68d38f1f886a77afcbe72399ac6beeba1e23846ab85950e
SHA512 79ca3bfeba853329733726e88942e9284444b630c52e6fba839c72f39f9c8b54c72111aa68fcb348fcd9531fbc3f28a8e19f789d444f9d7360702fd1ac0ed54a

/data/user/0/net.croz.myWay/cache/1582435991586.jar

MD5 e8e0527a01aefdb89afd2c508f131da1
SHA1 f1103e6b260c657ceb3d95f1b023af3fda8b133a
SHA256 f809447486f89fcaa74f87e06d126d103d37eb2b3157e88f2c06d989b2c284ce
SHA512 fb53683a83f1068d0f94567b156e6a8910c45b1b5f33db919f7e0b9c55eab28507a235ef76d44d5b549599ea3b54dbc00496a633339d276a80f395da938d6d34

/data/user/0/net.croz.myWay/cache/1582435991586.jar

MD5 fde2ee00cbd121cfab5290b078aa3ceb
SHA1 e2b77d5320e155e413d040a8c20020962065b2f8
SHA256 2897b0812077c654a9b3fbb0b6303d5cde681eeba7ad9981de65716c7810d685
SHA512 a9326aff8e454a2b4ac09984ef2a65fddd4dc146b4c44d839035549bff8c9fdaae490326d0b018f76c1ca2e4fb25426d74f550ca0950982fba632a023af99a56