Malware Analysis Report

2024-09-09 12:52

Sample ID 240614-cypqzswbpn
Target a7b8b9300898de8578df598c57f0704a_JaffaCakes118
SHA256 0f1def56504b72206adb7f27125c6e8608af0ba2d178ce7b54c86b1dcc339e78
Tags
banker discovery impact persistence collection evasion
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

0f1def56504b72206adb7f27125c6e8608af0ba2d178ce7b54c86b1dcc339e78

Threat Level: Shows suspicious behavior

The file a7b8b9300898de8578df598c57f0704a_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

banker discovery impact persistence collection evasion

Requests cell location

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Reads information about phone network operator.

Queries information about active data network

Queries information about the current Wi-Fi connection

Requests dangerous framework permissions

Registers a broadcast receiver at runtime (usually for listening for system events)

Uses Crypto APIs (Might try to encrypt user data)

Checks CPU information

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-14 02:29

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an application to write the user's calendar data. android.permission.WRITE_CALENDAR N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 02:29

Reported

2024-06-14 02:32

Platform

android-x86-arm-20240611.1-en

Max time kernel

137s

Max time network

174s

Command Line

com.chinat2t33171yuneb.templte

Signatures

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A
File opened for read /proc/cpuinfo N/A N/A

Processes

com.chinat2t33171yuneb.templte

com.chinat2t33171yuneb.templte:bdservice_v1

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 33171.yuneb.com udp
US 1.1.1.1:53 api.tuisong.baidu.com udp
HK 103.235.47.247:80 api.tuisong.baidu.com tcp
HK 103.235.47.247:80 api.tuisong.baidu.com tcp
US 1.1.1.1:53 api2.sharesdk.cn udp
US 1.1.1.1:53 sa.tuisong.baidu.com udp
US 1.1.1.1:53 sa.tuisong.baidu.com tcp
CN 180.97.107.116:5287 sa.tuisong.baidu.com tcp
CN 115.227.43.65:5566 api2.sharesdk.cn tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp
GB 172.217.169.10:443 tcp
US 1.1.1.1:53 www.baidu.com udp
US 1.1.1.1:53 api.tuisong.baidu.com udp
US 1.1.1.1:53 api2.sharesdk.cn udp
CN 115.227.43.65:5566 api2.sharesdk.cn tcp
CN 180.97.107.116:80 sa.tuisong.baidu.com tcp

Files

/data/data/com.chinat2t33171yuneb.templte/databases/database.db-journal

MD5 8f943d93de959127573baaa14ccec383
SHA1 9a2d809d28c5fa23d819ce0f9f39f5d3b21a8228
SHA256 ce04b0ed1e0a5d75075967eaafa7b55ad1e3fb7cfa08d177debe4834321896f1
SHA512 57f9f20adf6969bc9669a704d01156b0866a345812acca7d7fc105879d538b7c6c86790dbd7049be3189adc17cc5ec414f7b8056ed79dd7d77a845c018da07c3

/data/data/com.chinat2t33171yuneb.templte/databases/database.db

MD5 6a33111595b8a030280c63f8b5ca8997
SHA1 db9f9da92efefdc5e29d9b2c6dd12a71e0fa6d90
SHA256 816818d34ab27b23587e892c11faf59da75fd73661a91754d9c34fd815a5695e
SHA512 08fb05153ecdfb1d499ae8533003a39aef126b2dc2afc4b022fedafb53a75212955e3df848c7c8f45ecbb19454ef44e97796cfe0df5362382f7843a05b3a199e

/data/data/com.chinat2t33171yuneb.templte/databases/database.db-shm

MD5 d52c6571fbe0e055adfa4384db3881bc
SHA1 1bfccfb1b49a5a19f59b04e8d3ab9ebc849bb188
SHA256 1830b670a437f744b2696dba6e35569671ae1af059f9f999512a9ba4996bef58
SHA512 5bc31bfae4a92053e5cae77b359d5b6e7d20d6dae9eb05f54299cf4a128245e7342a81af00c9639d327702553dc6d497a29ba65c0d5d89238869efe084ac44cd

/data/data/com.chinat2t33171yuneb.templte/databases/database.db-wal

MD5 29632fd2226ba064e8584d79ef08d824
SHA1 2b7cc3b99b7623a6e45a12b7c72cbe176bc31a64
SHA256 4958507abfe71c9dc2217309759c593d79e7d884288a26287cc8d63caef3f501
SHA512 3f2c5e587bcae5cd31b68649a9f900aa7a86e673eebd9ae0d257975582538953f6e60038454101e076b5b26f1990f47b82632bfd40f5dc660b621d3e2e9eb2e5

/storage/emulated/0/baidu/.cuid

MD5 e1bd7400463836124579da9fe4468584
SHA1 530510873cb569822d2dbefa0af7a1a77afb6bf9
SHA256 a43e277d76175f7593d4a77a257cae52775ab1ad54974b643d86aff33b0f70f7
SHA512 2638e1f933c28919f339ccc290a0ec757d47f4dca631e9d2bdadfe6da05a78af464bb936637e32ed0287ffd56d59d76eeab91196daa131076b39c520c1804fcb

/data/data/com.chinat2t33171yuneb.templte/databases/pushstat_4.6.0.db-shm

MD5 2bc335b9ecf0f478085f2cfb59b40535
SHA1 8740bd07ef6f9896f926d8b606e7ca5ea1b6b4dc
SHA256 0a9d3c1f05d06861ea4b33dad8759ae0d9265df10df23723587223b14dd78ccd
SHA512 70c11cc76d8df82e66b97a2f593d7e94cdb691f8de2901f92a15be0f393e43ec996b2fb5772b1409e1b6c30df4b057b845079f6b34a1f5d155e72f1ff98eb5ca

/data/data/com.chinat2t33171yuneb.templte/databases/pushstat_4.6.0.db-wal

MD5 d67627f4fe940962746ef351cc4cbc0a
SHA1 e8333a9f6052763bc605298e36d19d4ce8157a0e
SHA256 4a8d31565a05ce0ca8db56dbe644ac5a5d567ccb536f1b87ade7779c1155ad49
SHA512 8adda80b03133138154ee6d0bf6e12bc01bee48d86dbb95930a4ab7fb50db6e61e8b9eb498811ae03219fa5e8123876e7e6482b637521a3be2572787c7d6356f

/data/data/com.chinat2t33171yuneb.templte/databases/pushstat_4.6.0.db

MD5 1fc5ad598391a6a4257ab47429bfcc6f
SHA1 1fc8f516afef003e35937bde89f506945de78d31
SHA256 158dec7a9853e88a394394336cd2884e1012717a8d19d7b62ec48eacb00091e1
SHA512 2f61e490207d348e092a5affec2a0a9d485f3abdc3e4523af4a531b0ab351690729dce065bb2e64f2d9acbbf08751b7225db8c582d464eda2524c6822d99e5c6

/data/data/com.chinat2t33171yuneb.templte/databases/pushstat_4.6.0.db-wal

MD5 6ace7b1d25bf560325bb7710321c0a5a
SHA1 f31d33c78a5c1df030d36ae64dbbefcdce7c322a
SHA256 5826abac7180995d3b11729a6d869f56c6bfc9ba287852642ca84c874bbf710f
SHA512 b3b9b5799b618dc1399d395c8ba145ef870dfb9a59861867a0fc63786aed5061fb4b43718c5597c54b04dee90e8724df5e5cb58665386234f1087b4e112a5b9b

/data/data/com.chinat2t33171yuneb.templte/databases/pushstat_4.6.0.db

MD5 8bb57c3b98a29c1b24b99648cdf6e79d
SHA1 a4d7a8971ce42caf0624ad59a91ede68d84f20d8
SHA256 33fe950e08500b70ed85e3d3a6edb17ccfc1668e36e487457b3f317546c47b39
SHA512 df467d7548d2222a4b25bafd765e4f05bc981c967eda77aecb349e92ece10494165afcb6f179f7035df95415f2c1c8d103ef96da961313b8ffc8cb6aefe38df9

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-14 02:29

Reported

2024-06-14 02:32

Platform

android-x86-arm-20240611.1-en

Max time kernel

3s

Max time network

159s

Command Line

com.alipay.android.app

Signatures

Requests cell location

collection discovery evasion
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getCellLocation N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Processes

com.alipay.android.app

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 216.58.212.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.179.238:443 android.apis.google.com tcp

Files

N/A