Malware Analysis Report

2024-09-09 17:40

Sample ID 240614-ctbcsswamm
Target a7b3c375ad11f966d0281e09e2df6ef1_JaffaCakes118
SHA256 46626bca00d0c9fcb59531ba8090ed781de0c9fbdc3301255d79199568ca27e2
Tags
discovery evasion impact
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

46626bca00d0c9fcb59531ba8090ed781de0c9fbdc3301255d79199568ca27e2

Threat Level: Shows suspicious behavior

The file a7b3c375ad11f966d0281e09e2df6ef1_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery evasion impact

Loads dropped Dex/Jar

Queries information about running processes on the device

Requests dangerous framework permissions

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-14 02:21

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to collect component usage statistics. android.permission.PACKAGE_USAGE_STATS N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an application to access data from sensors that the user uses to measure what is happening inside their body, such as heart rate. android.permission.BODY_SENSORS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an application to see the number being dialed during an outgoing call with the option to redirect the call to a different number or abort the call altogether. android.permission.PROCESS_OUTGOING_CALLS N/A N/A
Allows an application to read the user's calendar data. android.permission.READ_CALENDAR N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to monitor incoming MMS messages. android.permission.RECEIVE_MMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to receive WAP push messages. android.permission.RECEIVE_WAP_PUSH N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to use SIP service. android.permission.USE_SIP N/A N/A
Allows an application to write the user's calendar data. android.permission.WRITE_CALENDAR N/A N/A
Allows an application to write and read the user's call log data. android.permission.WRITE_CALL_LOG N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an application to add voicemails into the system. com.android.voicemail.permission.ADD_VOICEMAIL N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 02:21

Reported

2024-06-14 02:24

Platform

android-x86-arm-20240611.1-en

Max time kernel

8s

Max time network

138s

Command Line

AbV.SkOn.CP.hhyS

Signatures

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/AbV.SkOn.CP.hhyS/app_zip/classes.jar N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

AbV.SkOn.CP.hhyS

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 142.250.187.234:443 semanticlocation-pa.googleapis.com tcp
GB 216.58.212.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp

Files

/data/data/AbV.SkOn.CP.hhyS/app_libs/dxk

MD5 cb10a704ed9202f8c4901ebf1978689b
SHA1 f1bb8dec89f438cd88802d647c84699c9e54145c
SHA256 68d911ddff0e2e63a848d7e57ceca5d215e24eb15d1ec2163458e839c2ee3972
SHA512 73c0b273fa6ee8f20512ad6c4e2a7e92d8e069ef1f762dff6e23ae9bbf25efdbeb5011d680f31b633fe3872520d0dea5991696bd16c6b91c9582826b630b3c29

/data/data/AbV.SkOn.CP.hhyS/app_libs/0dxk

MD5 9d8e858d22b096977d0ed46fb341db5d
SHA1 5e16cd6a28f2ace030d6236fa3df6ba61e232033
SHA256 98f103eee4d18ec0aab9d4371705bdb7c4d5da9c70fabd22954d4cc998d64861
SHA512 6afb43d27ed9219fdd89ddd5cfc5e0966827d732c4de7a90a057418a281da14b137cd1ef864d3cb9f68d1dd09fee5d0aeb668148218f309a5a926d2c3ee85276

/data/data/AbV.SkOn.CP.hhyS/app_libs/1dxk

MD5 78a360c89c18e6b1de0f927e3afa8ee8
SHA1 b266a4b8c2cbb3ce9ae5ecdca3cff96ae5b91303
SHA256 1cd988d170e566d2a8f9031b0b2a74fd2804adc655cb55b4d1578016779caab4
SHA512 af7f96e36c3a0c70f74ac106c71242bc852272d5d2a218e47ec3ebc89b3f33f2e026b28a12116f06c8ba38afb39d9da4e6810c4868c4c031f0d303bc010c00b7

/data/data/AbV.SkOn.CP.hhyS/app_zip/classes.jar

MD5 a46e0b2fb0dec0988af9ded872aa8dca
SHA1 251c18e3db0c0cbe6baf0a1959cc6b3fb3449f7b
SHA256 7bc3078097c5412201fc71a3009e5b055c1125da545c3785e5ccde73dce95287
SHA512 a98517fbcec57b28bc0881c1065e0c58f58bd4f6cf4c5626cca72ca081aae19da521a14c5d4366fa52c0474248688534f7068b582d1c6c0010995b4c411ea463

/data/data/AbV.SkOn.CP.hhyS/app_zip/libus.so

MD5 fff687bdc31f27ade317dff0acfa761f
SHA1 7f872819933f82e68321368b937f3a1b16ddabd6
SHA256 34e8f6a966e97b187f4e778e09213138f13aa25a4956f447daace8a9574c4505
SHA512 3a01733a370737c9a7561a1d8d5d33060b71fa9b8fc7ad08064408b69d1169d9c2885c47e4aef12939446df6c2541fd3ba570b22db9d0d12cfe7c4ddcf5bd94e

/data/user/0/AbV.SkOn.CP.hhyS/app_zip/classes.jar

MD5 6e8da636fbbef5dcd1c042082dceb927
SHA1 f30151005964df29931e661ab4223dc79e8650a8
SHA256 7c48eeef47f44a4dcb119c12aa17734c53bf085b3b04861afd51639e767375e1
SHA512 593c4d2eaebf9bcb5ebaee72e0ac65ff3b1e2f8ebc25c3788d5ba666678ffa1c27ca28337e36c5acaf478105c19f995fd06ce60dc1b4eab758ca2234a40b91b8

/data/data/AbV.SkOn.CP.hhyS/files/K

MD5 d4d4175b1303f8a41112c727517b8f8a
SHA1 e9ca472b2895e4648e29dd767465e76e0426f6f9
SHA256 58a4ef238c26ce5b723445bf05081a501f5fcdfbe0ec20a345f09a21315b9342
SHA512 5b1b0a9550a5a6b0f975a7ed7e2c494c8930623dde516ba10789fcf743886d0f079cfbd1ccc8c0caf2c0137607a0c66edc31e96627401a05f67d03cd2ac6a208

/data/data/AbV.SkOn.CP.hhyS/files/0K

MD5 2463c3ebdf0953755494edcdb499db57
SHA1 e25500dc163917e009e533bbf1868577b89925f9
SHA256 7e2cb81b6ad52d3adcfe906fd2862681bd818c315b3360d0776c6fe27b927c0e
SHA512 eebe00c6b76556ba415be9f6e256c6b1115f107d1d5a15d449f4ba3e5de929d50efdffa8f4d9aa424fc55898c506dfa4808d35292aa81fba4eaa98a204d704bb

/data/data/AbV.SkOn.CP.hhyS/files/1K

MD5 c050471b3a609142896cad857574e6b4
SHA1 67c44a478fb72925f7773e80fa81ad3ff632c77f
SHA256 6b245493775fa702ec22fc8e3877b21910e029f6b09f4d6bc679d99fb213d2bf
SHA512 197ed827531d1a0b51836c7b277fd5ff6916ae98b4b82e6d5b0260f653420f25d34c4174795ed99876ae891817049680a50e69aba12f105b29b6531136b74d0a

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-14 02:21

Reported

2024-06-14 02:21

Platform

android-33-x64-arm64-20240611.1-en

Max time network

7s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
GB 172.217.16.228:443 tcp
N/A 224.0.0.251:5353 udp
GB 172.217.169.68:443 udp
GB 172.217.169.68:443 tcp
GB 172.217.169.68:443 tcp

Files

N/A