Malware Analysis Report

2024-09-09 17:41

Sample ID 240614-d4b8hstejb
Target a7ddbf21f8265b085fb84ee15b49f520_JaffaCakes118
SHA256 013a3b3f9f5a1bb6642ca69f9fdb9e71c9ccdeb7511bfaf6720585ba70cfa1fd
Tags
discovery impact
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

013a3b3f9f5a1bb6642ca69f9fdb9e71c9ccdeb7511bfaf6720585ba70cfa1fd

Threat Level: Shows suspicious behavior

The file a7ddbf21f8265b085fb84ee15b49f520_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery impact

Queries information about running processes on the device

Queries the unique device ID (IMEI, MEID, IMSI)

Requests dangerous framework permissions

Queries information about active data network

Queries information about the current Wi-Fi connection

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-14 03:33

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 03:33

Reported

2024-06-14 03:36

Platform

android-x86-arm-20240611.1-en

Max time kernel

2s

Max time network

136s

Command Line

com.jielan.ningbowisdom.ui

Signatures

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.jielan.ningbowisdom.ui

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 api.map.baidu.com udp
HK 103.235.46.245:443 api.map.baidu.com tcp
HK 103.235.46.245:443 api.map.baidu.com tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.204.78:443 android.apis.google.com tcp

Files

/data/data/com.jielan.ningbowisdom.ui/files/libcuid.so

MD5 c88ff76edb47a77a4ddd17a223b51608
SHA1 59a429fd5750bfcbdf05276e6ab8585ed8fe8bc6
SHA256 fe39ecb7a6ddd1f52bc75d2a3dc1e54ec80b2017a787966c4d76f037245402a8
SHA512 134f3ac5e36b0d40e381e1f6d5b13aa3b13f5a943d8ffe1d496968e5e3acc380220541dcbd8f492739c8ff54a8cb7507792edd4bff8326a5e6a7b68c49923289

/storage/emulated/0/backups/.SystemConfig/.cuid

MD5 fc26319a48a43402df05bb570c749c85
SHA1 b88313c7cd58d39d752fbcb971b8ab8ce53dc2ed
SHA256 8c54c983dc3ca46e00054a5508009b87b8946a932824b01ac21fbaeb18ea03fd
SHA512 73c64a223a54314c13096865686c9104da2ebf11ae91a09df7fdb3265411f156c563eee55b1900bb7761fef500334cf80be5b20732701c6b1e3ff52f01855d99

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-14 03:33

Reported

2024-06-14 03:36

Platform

android-x64-20240611.1-en

Max time kernel

2s

Max time network

190s

Command Line

com.jielan.ningbowisdom.ui

Signatures

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.jielan.ningbowisdom.ui

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.213.8:443 ssl.google-analytics.com tcp
GB 172.217.169.10:443 tcp
US 1.1.1.1:53 api.map.baidu.com udp
HK 103.235.46.245:443 api.map.baidu.com tcp
HK 103.235.46.245:443 api.map.baidu.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.204.78:443 android.apis.google.com tcp
GB 172.217.169.78:443 tcp
GB 142.250.179.226:443 tcp
GB 172.217.169.42:443 tcp
GB 142.250.187.196:443 tcp
GB 142.250.187.196:443 tcp
GB 172.217.169.10:443 tcp
GB 172.217.169.14:443 tcp

Files

/data/data/com.jielan.ningbowisdom.ui/files/libcuid.so

MD5 7a9f183fe68e2c98f3a919dce0f0bcf0
SHA1 9925e30e5168841f040d227e46f462d298844068
SHA256 c0554ef1262abd6323a45146fe12d92e46883ef6dae8c7270030c9a8632e6d0c
SHA512 d8126d88c2b3a513ceab80eaff064b958b6a0e0adf262d3cc33f985d6d04bf0d48fa7ddb10d6ddfa9554128c2aed31ade01594e36feaae1833ba144669d14b1d