Malware Analysis Report

2024-09-09 17:09

Sample ID 240614-dql6katame
Target a7cec5677fd25edec6781d411643ccd7_JaffaCakes118
SHA256 8d9c2679510fc88685494f9d43a2259efbed6526cd9375f5d34df03df6a9d0d4
Tags
banker discovery evasion
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

8d9c2679510fc88685494f9d43a2259efbed6526cd9375f5d34df03df6a9d0d4

Threat Level: Shows suspicious behavior

The file a7cec5677fd25edec6781d411643ccd7_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

banker discovery evasion

Loads dropped Dex/Jar

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Requests dangerous framework permissions

Reads information about phone network operator.

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-14 03:12

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 03:12

Reported

2024-06-14 03:16

Platform

android-x86-arm-20240611.1-en

Max time kernel

5s

Max time network

130s

Command Line

com.android.uam

Signatures

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /storage/emulated/0/Android/data/am/cm.zip N/A N/A
N/A /storage/emulated/0/Android/data/am/cm.zip N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Reads information about phone network operator.

discovery

Processes

com.android.uam

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/storage/emulated/0/Android/data/am/cm.zip --output-vdex-fd=44 --oat-fd=45 --oat-location=/storage/emulated/0/Android/data/am/oat/x86/cm.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
GB 172.217.169.74:443 tcp
N/A 224.0.0.251:5353 udp
GB 142.250.187.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp
GB 172.217.169.74:443 tcp
GB 172.217.169.74:443 tcp

Files

/storage/emulated/0/Android/data/am/cm.zip

MD5 cb1ab377075311a5356d63bcc8ae67fe
SHA1 c23a8fdf959a0b861893382b3a81c6b4253c751a
SHA256 65a3e37ee062d2524ea1f97a742d13783d3499ce83aa575a9c9527a2af65749f
SHA512 1342c9286724948e4395696623972f683ce4dc3ec89adb2669276b6db35de5106d0adbcec145a3b8d84624fabeca29ee9f7e066f8619dcf32adc778bd172e3a3

/storage/emulated/0/Android/data/am/cm.zip

MD5 bf18939bd1f7192f9fbcf5f0c5d6ed79
SHA1 31546bcd7e77786ddaf680f1c5d6d3b299aca82e
SHA256 c751b312d820c637e867f8c09609f74ccbd3cc7871de0141b7fd8425b026b89a
SHA512 d0698ef58ed1c18496e6cfcd06cb73a1505ec7e643ce090692755d74c0e5a32779374856bfa54f33f880a8050e35fefb3b42c3243521c65b3fa856d9055ddf81