Malware Analysis Report

2024-09-09 17:10

Sample ID 240614-c2jzxasclc
Target a7bad3dc83bc22a8bb43bfdc1941322d_JaffaCakes118
SHA256 f52df789ecd95881dac24787d88fd28f7d4888b2b25ddf7a789bd307f50d67b3
Tags
banker discovery impact persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

f52df789ecd95881dac24787d88fd28f7d4888b2b25ddf7a789bd307f50d67b3

Threat Level: Shows suspicious behavior

The file a7bad3dc83bc22a8bb43bfdc1941322d_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

banker discovery impact persistence

Queries the phone number (MSISDN for GSM devices)

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Queries information about running processes on the device

Queries information about the current Wi-Fi connection

Requests dangerous framework permissions

Acquires the wake lock

Queries information about active data network

Registers a broadcast receiver at runtime (usually for listening for system events)

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-14 02:34

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-14 02:34

Reported

2024-06-14 02:37

Platform

android-x64-20240611.1-en

Max time network

163s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.187.232:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
GB 172.217.169.68:443 tcp
GB 172.217.169.68:443 tcp
GB 216.58.212.238:443 tcp
GB 142.250.200.2:443 tcp

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-06-14 02:34

Reported

2024-06-14 02:37

Platform

android-x64-20240611.1-en

Max time kernel

8s

Max time network

185s

Command Line

com.baidu.platformsdk.wxpay

Signatures

N/A

Processes

com.baidu.platformsdk.wxpay

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.178.8:443 ssl.google-analytics.com tcp
GB 172.217.16.234:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp
GB 172.217.16.226:443 tcp
GB 142.250.178.14:443 tcp
GB 172.217.169.46:443 tcp
GB 142.250.178.4:443 tcp
GB 142.250.178.4:443 tcp

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-06-14 02:34

Reported

2024-06-14 02:34

Platform

android-x86-arm-20240611.1-en

Max time network

6s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
GB 142.250.178.10:443 tcp
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 02:34

Reported

2024-06-14 02:37

Platform

android-x86-arm-20240611.1-en

Max time kernel

179s

Max time network

189s

Command Line

com.winnergame.bwysz_new:lbmain

Signatures

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.winnergame.bwysz_new:lbmain

com.winnergame.bwysz_new

com.winnergame.bwysz_new:bdservice_v1

Network

Country Destination Domain Proto
GB 172.217.169.74:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 sdk.loveota.com udp
US 1.1.1.1:53 unionsdk.m.baidu-mgame.com udp
CN 180.76.198.209:80 sdk.loveota.com tcp
CN 42.193.107.21:80 unionsdk.m.baidu-mgame.com tcp
CN 42.193.107.21:80 unionsdk.m.baidu-mgame.com tcp
CN 42.193.107.21:80 unionsdk.m.baidu-mgame.com tcp
CN 42.193.107.21:80 unionsdk.m.baidu-mgame.com tcp
US 1.1.1.1:53 api.tuisong.baidu.com udp
HK 103.235.47.247:80 api.tuisong.baidu.com tcp
US 1.1.1.1:53 sa.tuisong.baidu.com udp
US 1.1.1.1:53 sa.tuisong.baidu.com tcp
CN 112.34.113.99:5287 sa.tuisong.baidu.com tcp
US 1.1.1.1:53 zjh.weilanhd.com udp
GB 142.250.187.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp
CN 81.70.207.199:80 unionsdk.m.baidu-mgame.com tcp
CN 81.70.207.199:80 unionsdk.m.baidu-mgame.com tcp
CN 81.70.207.199:80 unionsdk.m.baidu-mgame.com tcp
CN 81.70.207.199:80 unionsdk.m.baidu-mgame.com tcp
CN 82.156.25.163:80 unionsdk.m.baidu-mgame.com tcp
CN 82.156.25.163:80 unionsdk.m.baidu-mgame.com tcp
CN 82.156.25.163:80 unionsdk.m.baidu-mgame.com tcp
CN 82.156.25.163:80 unionsdk.m.baidu-mgame.com tcp
CN 42.193.107.21:80 unionsdk.m.baidu-mgame.com tcp
CN 42.193.107.21:80 unionsdk.m.baidu-mgame.com tcp
CN 42.193.107.21:80 unionsdk.m.baidu-mgame.com tcp
CN 42.193.107.21:80 unionsdk.m.baidu-mgame.com tcp
CN 81.70.207.199:80 unionsdk.m.baidu-mgame.com tcp
CN 81.70.207.199:80 unionsdk.m.baidu-mgame.com tcp
CN 81.70.207.199:80 unionsdk.m.baidu-mgame.com tcp
CN 81.70.207.199:80 unionsdk.m.baidu-mgame.com tcp
CN 82.156.25.163:80 unionsdk.m.baidu-mgame.com tcp
CN 82.156.25.163:80 unionsdk.m.baidu-mgame.com tcp
CN 82.156.25.163:80 unionsdk.m.baidu-mgame.com tcp
CN 82.156.25.163:80 unionsdk.m.baidu-mgame.com tcp
CN 42.193.107.21:80 unionsdk.m.baidu-mgame.com tcp
CN 42.193.107.21:80 unionsdk.m.baidu-mgame.com tcp
CN 42.193.107.21:80 unionsdk.m.baidu-mgame.com tcp
CN 42.193.107.21:80 unionsdk.m.baidu-mgame.com tcp
CN 81.70.207.199:80 unionsdk.m.baidu-mgame.com tcp
CN 81.70.207.199:80 unionsdk.m.baidu-mgame.com tcp
CN 81.70.207.199:80 unionsdk.m.baidu-mgame.com tcp
CN 81.70.207.199:80 unionsdk.m.baidu-mgame.com tcp
CN 82.156.25.163:80 unionsdk.m.baidu-mgame.com tcp
CN 82.156.25.163:80 unionsdk.m.baidu-mgame.com tcp
CN 82.156.25.163:80 unionsdk.m.baidu-mgame.com tcp
CN 82.156.25.163:80 unionsdk.m.baidu-mgame.com tcp
CN 42.193.107.21:80 unionsdk.m.baidu-mgame.com tcp
CN 81.70.207.199:80 unionsdk.m.baidu-mgame.com tcp
CN 82.156.25.163:80 unionsdk.m.baidu-mgame.com tcp
CN 42.193.107.21:80 unionsdk.m.baidu-mgame.com tcp
CN 81.70.207.199:80 unionsdk.m.baidu-mgame.com tcp
US 1.1.1.1:53 www.baidu.com udp
US 1.1.1.1:53 api.tuisong.baidu.com udp
CN 112.34.113.99:80 sa.tuisong.baidu.com tcp
CN 82.156.25.163:80 unionsdk.m.baidu-mgame.com tcp
CN 42.193.107.21:80 unionsdk.m.baidu-mgame.com tcp
CN 81.70.207.199:80 unionsdk.m.baidu-mgame.com tcp
CN 82.156.25.163:80 unionsdk.m.baidu-mgame.com tcp

Files

/data/data/com.winnergame.bwysz_new/files/bdp_channel

MD5 cf16d8f7050622e40c30a40e0f03a7b4
SHA1 59b66b35646a806e7842971c9b60605bed4c9ead
SHA256 cdb6258c06e7b11aece25e7d2c2588258e196ee9446402cabc1f7cc1045525d9
SHA512 4dfdce5e2a5e471cca2998ce16634dc8e42c83a3da7d1c08d41004b6817c2e6c605c5619c8a0efa1c10f2dde5baf7a996f29cf0fd01ac3f24540d02c3efe0331

/storage/emulated/0/baidu/.cuid

MD5 700dafee4970159fb47ba1b0bf2e85bd
SHA1 07c024edda43ede3749416f224671a6413bf2f45
SHA256 f5c6f52da72c882a6093af8149439d972d3b9bd7df6a33aaeb53561a0850bd04
SHA512 2ec665e4e9e8ce8d2193ed09cc72f8582e470eef65dbaddf533dcf09136239b7698c641b87cd8cd341365a94d9669a54ff465d916de4df293fc7e990bf35717a

/data/data/com.winnergame.bwysz_new/files/account_deb6af019f_aae2fbe9fb02948c2eab7b31f2a0a5a2

MD5 f03b76d3c0345422a12fc955df7028ee
SHA1 4a7c48dffadea4179e41a88d8c596f58bf17294a
SHA256 9974dc45dacf776e10ff6b2dcef59ce78f6b684fc563c03ee50e9d579f9afa67
SHA512 e13605ee320bf15ad607192f4dea4b711506a8cfd39fb3bc743127bf96fa95d11e8a2056747927363fdf84f4156fcccaddb1ff82091afb5d8d14d183b2dbab34

/data/data/com.winnergame.bwysz_new/databases/app.db-journal

MD5 376084d9d2f276aaf504d61e94d7fd04
SHA1 bdf565ee51029cbd8e40e898b5a06ffd4dd2b232
SHA256 24d991ed3d220655c4982a934ce81aff0717d054404052575c7a20bf2baa23cc
SHA512 15ac3bf9d333744bb388694efed6b20884298691a9ae232a5fd3f3c36d52c69f3de440d65933d00bdc2491947c4f18daf5b074057f6fd7e920ed53528499f547

/data/data/com.winnergame.bwysz_new/databases/app.db

MD5 c0894b15cfcfa1316c6210de788150a1
SHA1 ab52a419d789d86e76abdee30bcedb6dc313324b
SHA256 3bcebd359777555dc2e0ceaefabf259e862204357696b5c550d9757ea254539d
SHA512 aef57e4fc67f614ad5379812679531ebf1310bd6841ab0f50e5f33c774f69492bdc77a9d41378db30ef45ae57160123945a504b7bb5347220cccba14a11f0aa1

/data/data/com.winnergame.bwysz_new/databases/app.db-shm

MD5 a89e2b2267d2471372e7ea636ac335c1
SHA1 b7fac50225b4a72de520d18c9a2f4f5c42607097
SHA256 82c04aed70c69a4591938c232f69fe070b33d587a7004704712c957420b87c32
SHA512 f1ed46f1aa5430f23b38ad179a19e48ab0fbf6f5aff4c61689d2dd9ca7b456c10bf48ba24d05efffd990875d042d05fc626223237560b6eb941fae57ca71b99d

/data/data/com.winnergame.bwysz_new/databases/app.db-wal

MD5 ca60862cc321aee3b3a449af1e7febde
SHA1 d944162541ff916058ef51c7ab06cdfded3daf84
SHA256 ea0b0c6e97c4cc9cae09d3707e8f5b713948458aa4616c2fb66ec97a9ffe074e
SHA512 20860541f467696f9fb116d17cfa836ce9cfeee0dc058551a2227f90286a5e8cc4eb48559d320c701b2952eea7c3a3731f2241b53d56662cfced6b62c96fbd56

/data/data/com.winnergame.bwysz_new/databases/dk_user.db-journal

MD5 14333af0a37109b6d1d87d1b48a8ffa6
SHA1 c81b8f6cd2b9f7e704e47aadf24953affbe63823
SHA256 a94cea847fb14e10d51b1c0b8f3d50d09d67e2a3a4663812b4062ab0e742fe7e
SHA512 a14e18a64f93fa07b4462fad9a8869c908cc762a6578eac46172bd9dbaa6700dc306379d85e32466d668db1c1b071d98c5e528524ace445f2f5756f790b5782d

/data/data/com.winnergame.bwysz_new/databases/dk_user.db

MD5 e1b797afd18bb178623eaa48104ac5c8
SHA1 518923cc95bd9d44304fa26f69b951eeba07adb5
SHA256 33efb8a857446d559080241837688c8c87a54f89bf3c4a4dd38425097c90b2fa
SHA512 cc980249da812012faa7401eb21712caaf332527ddaac3ad03c109694b565ad5e9208273f285e941dc01b678d6d1ac512e860a548ed4c66ef0bdb555e1406753

/data/data/com.winnergame.bwysz_new/databases/dk_user.db-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.winnergame.bwysz_new/databases/dk_user.db-wal

MD5 a9e2261d717fe9cce9108c138822ccbe
SHA1 6661c9c98fcb40a3a23a6cddc283bda618d9fa05
SHA256 92aee60e31bb8db3db6e7ff6c2eda1bff13fbd09d93577c693edd4a43fcb9846
SHA512 de3aa0ba232ed871de402f13a12894a8f9aad004b6eeb46e9f034e07f9763097fd087fe10e1c77fb9d441b4b464e505c7f186fcb391e2380944384d25725871c

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-14 02:34

Reported

2024-06-14 02:37

Platform

android-x86-arm-20240611.1-en

Max time kernel

7s

Max time network

164s

Command Line

com.baidu.platformsdk.wxpay

Signatures

N/A

Processes

com.baidu.platformsdk.wxpay

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.180.14:443 android.apis.google.com tcp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-06-14 02:34

Reported

2024-06-14 02:37

Platform

android-x64-arm64-20240611.1-en

Max time kernel

7s

Max time network

133s

Command Line

com.baidu.platformsdk.wxpay

Signatures

N/A

Processes

com.baidu.platformsdk.wxpay

Network

Country Destination Domain Proto
GB 142.250.187.206:443 tcp
GB 142.250.187.206:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 tcp

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-06-14 02:34

Reported

2024-06-14 02:34

Platform

android-x64-20240611.1-en

Max time network

6s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-06-14 02:34

Reported

2024-06-14 02:34

Platform

android-x64-arm64-20240611.1-en

Max time network

7s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
GB 172.217.16.238:443 tcp
N/A 224.0.0.251:5353 udp
GB 172.217.16.238:443 tcp

Files

N/A