Malware Analysis Report

2024-09-09 17:41

Sample ID 240614-f7br9s1alj
Target a82884616b87b37b549d3799d3e27c7a_JaffaCakes118
SHA256 be90bf6d0909096053f34a66f0da22bd5b59383e9982a1684de7eea5ead8a5dd
Tags
impact discovery evasion
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

be90bf6d0909096053f34a66f0da22bd5b59383e9982a1684de7eea5ead8a5dd

Threat Level: Shows suspicious behavior

The file a82884616b87b37b549d3799d3e27c7a_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

impact discovery evasion

Loads dropped Dex/Jar

Reads information about phone network operator.

Requests dangerous framework permissions

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Queries information about active data network

Queries information about the current Wi-Fi connection

Uses Crypto APIs (Might try to encrypt user data)

Checks CPU information

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-14 05:30

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 05:30

Reported

2024-06-14 05:33

Platform

android-x86-arm-20240611.1-en

Max time kernel

2s

Max time network

159s

Command Line

com.songtzu.cartoong

Signatures

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.songtzu.cartoong

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 fb.umeng.com udp
GB 216.58.201.110:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.169.46:443 android.apis.google.com tcp
GB 216.58.212.202:443 tcp
GB 216.58.212.202:443 tcp

Files

/data/data/com.songtzu.cartoong/app_stasm/haarcascade_frontalface_alt2.xml

MD5 34b6f23b1c8875c6cb4b0f815d2f8416
SHA1 02632c3d16cd2d945b076c4357906e1d0d9fe785
SHA256 43d4c3a2924544395fd8062a1ea5591adde3a2b9913c372dc1acfd6495ab2d07
SHA512 abec0a60fbdfa7c59b92591f897f2382732dcb518cb4e3658ff8c2cbc2e3e1dc9300589f29200868c8d0d8ebd5875aaa9eefcd90b938b832f67cb00d42986a1e

/data/data/com.songtzu.cartoong/files/wh.jar

MD5 9cd10d00dc95a80fdc54df4d823fc68c
SHA1 d4514d98ab381451bc98d88f8f73e18035a1f3f5
SHA256 c25d7ad8f56fd7709a5a85472bfcc0a3287ca0413311c3ce2a30030a8e8dbd2e
SHA512 e687fcb07655778a38233c97e067006e5d27a5acd17215599395a58af9644c8cd656f72b9006d1d47b8d5bfb07cff79397bb550d748616612d190946fc622aa0

/data/data/com.songtzu.cartoong/files/so.jar

MD5 eb691d2d9a68de74736ddc8f87f100b2
SHA1 43ca7d5e9e1350de3e874c1b796bca800f54cb9f
SHA256 f59ed6d2ed400e01ef57fae6d420ee78d8ac6b92d63f91d661c2970309936c4d
SHA512 e912c4a6e68af5b1984db64229d5e0d1b2d0d8b6cb727d99f40b8f3588f957dc182be3b459932aeccf14586ed4239a651deba420765fdd931268b0102c6f07b3

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-14 05:30

Reported

2024-06-14 05:33

Platform

android-x64-arm64-20240611.1-en

Max time kernel

11s

Max time network

132s

Command Line

com.songtzu.cartoong

Signatures

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.songtzu.cartoong/files/lo.jar N/A N/A
N/A /data/user/0/com.songtzu.cartoong/files/wh.jar N/A N/A
N/A /data/user/0/com.songtzu.cartoong/files/so.jar N/A N/A
N/A /data/user/0/com.songtzu.cartoong/files/jh.jar N/A N/A
N/A /data/user/0/com.songtzu.cartoong/files/bj.jar N/A N/A

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Description Indicator Process Target
N/A alog.umeng.com N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Reads information about phone network operator.

discovery

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Processes

com.songtzu.cartoong

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 172.217.16.234:443 tcp
GB 172.217.16.234:443 tcp
GB 216.58.204.78:443 tcp
GB 216.58.204.78:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.169.46:443 android.apis.google.com tcp
US 1.1.1.1:53 fb.umeng.com udp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.179:80 alog.umeng.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.179.232:443 ssl.google-analytics.com tcp
GB 142.250.178.4:443 tcp
GB 142.250.178.4:443 tcp

Files

/data/user/0/com.songtzu.cartoong/app_stasm/haarcascade_frontalface_alt2.xml

MD5 27968930fbbc590f038dce22ff0e70ad
SHA1 a24eab68ed0bc644ea81c4d17b8143fecf4950c6
SHA256 f14cf5e321f9d9b6186e81e307f309fbe8efc03598ddbf0ca4070f0794ffc30a
SHA512 f7bd3e5cde76b9639a947b65528380e80abfd910f03347a1375fda1ee2544d6886ae226e7d6640225add64ac9f8d842add727fd137133093f1e77eb578d2073f

/data/user/0/com.songtzu.cartoong/files/lo.jar

MD5 d0c89d85dfa05939080ae1725a7863c5
SHA1 59faf865a58a05d7e3f90d3e4380d9d01aefcf56
SHA256 943c6fbef064518131d6d2e62e156b2b32c2e86de933bfa6a12e93d0bface4ed
SHA512 2b3e12cea48d22b3ce10c2e6d47b71b802d006cfb1e0a6e2286a676c08f61353f3f737e0e69220a9968c67340781f3445d887d8f875ab195e7fff74aadce2a25

/data/user/0/com.songtzu.cartoong/files/so.jar

MD5 eb691d2d9a68de74736ddc8f87f100b2
SHA1 43ca7d5e9e1350de3e874c1b796bca800f54cb9f
SHA256 f59ed6d2ed400e01ef57fae6d420ee78d8ac6b92d63f91d661c2970309936c4d
SHA512 e912c4a6e68af5b1984db64229d5e0d1b2d0d8b6cb727d99f40b8f3588f957dc182be3b459932aeccf14586ed4239a651deba420765fdd931268b0102c6f07b3

/data/user/0/com.songtzu.cartoong/files/bj.jar

MD5 89898c90943c3c9efd22731ae6e66b8a
SHA1 643dcdb28b33eb2ad67b0bf167c0fdf36ae636e9
SHA256 1dbacb4a0a05dd3efbfdef6bd3f0b2f2189695fa20d67cb4a3ac29deb505fbb2
SHA512 5fe48cc7bd1cc967d37b7ef28003ad0dac039fa91171db0cd7902c099f935c8adea82c67e027d2e6293791bb8ceff9c50e58fd08805d6bbb29ceb10b0e7cee8b

/data/user/0/com.songtzu.cartoong/files/wh.jar

MD5 9cd10d00dc95a80fdc54df4d823fc68c
SHA1 d4514d98ab381451bc98d88f8f73e18035a1f3f5
SHA256 c25d7ad8f56fd7709a5a85472bfcc0a3287ca0413311c3ce2a30030a8e8dbd2e
SHA512 e687fcb07655778a38233c97e067006e5d27a5acd17215599395a58af9644c8cd656f72b9006d1d47b8d5bfb07cff79397bb550d748616612d190946fc622aa0

/data/user/0/com.songtzu.cartoong/files/lo.jar

MD5 af2bafd6107be7bd60e23fabc4e2722e
SHA1 a9c2f637260a5483ef0a9bcbd84d1305c0ff30b8
SHA256 d4e48b6bd9254878362d87fa2a34499c0b71d78060e991974a3b477bb7c70ff6
SHA512 efa251ada256f3cee477adf9f3ff6467d99d985d110cf685891176db6b185abd2d658a1db7e3d54e05b686617a6dedf8d95489b9265da96e81145ae61b6ae7fd

/data/user/0/com.songtzu.cartoong/files/jh.jar

MD5 0ca73ab4dc99304689ee9aea5f3031ca
SHA1 f910a8f5bd6bbcfed4f18fd975ece9f6dbc66452
SHA256 3ae6fdb71c3d3dc1f1ced98aaf9e427c4569cfa0c46b1830e5246ef38da46228
SHA512 38d22b0061985050ce26a2a3c9d245f997a23f52b42620f290606510d6f8ea1ae0361ab1c529ab02ba30c2c1a47748f0391ca011881d5c21826f5551ec014f35

/data/user/0/com.songtzu.cartoong/files/wh.jar

MD5 9975c14793e0791f19615250833b1e2b
SHA1 9d5f0f7dc400596fe4f8dde753da34ed8d5c42b6
SHA256 38d33f81cf22a112cf9551115cc736312d8e7ab771d6d8e23cdeff4a0f39b3d4
SHA512 b42e23786db3d47d35b1226b1b7af42a636532063fdf44765e432dda31e2161876b1979544d4c45c2cdfd18499a2dfcc6ec16c9af0da6b156579ece31f07c4fa

/data/user/0/com.songtzu.cartoong/files/so.jar

MD5 804cebc45bd90ef299a9030273bcf92f
SHA1 9880f02c55e63b0099ee70cf3df5812893718514
SHA256 c0945b949718fb437f04e5fc00aa119e12718ffe6820cd52032150a4d3de5753
SHA512 b717cac3e44f1604e99ff02bb2401d57539fa8bf1fc790918b3a216012168c911c45f3dfe6576a20bd51b41aa8d30210d8d7ed3981ac333e7583128dd653f933

/data/user/0/com.songtzu.cartoong/files/jh.jar

MD5 68127cf419d7acd3fac75217ac193d06
SHA1 d1447d2c8fa6de0075627998525e3391a8480ad9
SHA256 4b183473cace77801079756ae2f946850511c03897a20e6d63569f5a21596d9c
SHA512 c9b7fe9fa5eb5b3664b3a5be4035b93a2bd12c7bcfb15c5dd54db5d0bc913e5f2ec1cc53f51d7ab24c9d33d52e5735ff49b14f21dc4079823e9204707c318454

/data/user/0/com.songtzu.cartoong/files/bj.jar

MD5 0a5e0645cfa86de343d4bcaa5ef5f368
SHA1 183dc4b59734f720c03930b5b6a7922d70400307
SHA256 cb64b4b4982a5bcb998ae9d10f2cc7d128f77c523666443f9c2913bc51d89a5b
SHA512 abe3587d9a79cc1b85c7342021f7f349119406150d69b484d97024a2f2982321d1902ecc1e0d2a90932452e8e70bc8c889d7cdc45fc05eda2ac8f75a98e85f79

/data/user/0/com.songtzu.cartoong/app_stasm/haarcascade_mcs_lefteye.xml

MD5 bacc89e2f4a845ada5aaa7073682879b
SHA1 e83fb17978cfd815686379ae019cb7200d737c93
SHA256 8caf438737940056f5da1e3b94f88f60b93a7ffe54d90e120a6068dc6b027273
SHA512 9a6bd31cc841aa46b0c7e4ddb98f5217fadf49f6c7c386c8ef2c98c996947512c2afc8e41c67498fe0c4fde26af9e9d3450541490cf64ec18579bc92baaaf3b7

/data/user/0/com.songtzu.cartoong/app_stasm/haarcascade_mcs_righteye.xml

MD5 5d8334ed7f9f7363d00e655441590fea
SHA1 f3497b94dcd91910e1642dc77b0eb5ab74b21f79
SHA256 bf5f20f822403e9a4695f7200467f6c930077cd4903a62cce0553fe48cf16943
SHA512 3ca0e7080d0cc06ff135d2bcfa5f4b87b1c9e0a3cef40847986179296f2dc469844255b4b8dc9df0d50c76efdbe1df2a29e1baaca311905bde8925c34d9b32f3

/data/user/0/com.songtzu.cartoong/files/umeng_it.cache

MD5 f38413a2793ea77012d772cb09ae4c81
SHA1 4074d8c5e2be4ab66a62d4387514cf0f22bb8002
SHA256 581fa853d7fbe22291a0157b9665383d29026cd98dc0c031bba7af4c0d490b07
SHA512 834be9b7ca40efc83b5dd2d7b92ac3eedaceb05326e75ace18238cde97ff8d68b446d0941dcad45fa4051b3267b747e76e4af5550112323b20ed520e212c9753

/data/user/0/com.songtzu.cartoong/files/.umeng/exchangeIdentity.json

MD5 5bd9e68251b9d76c2192ac9302e66571
SHA1 e0624eca8477d36a70db9c21a674ad7617f405dc
SHA256 b3034bfc956c0300863b898d989a5f282f3b05f51345d7a5ed2545ad38477547
SHA512 73a5c144176bc7abce5bbb139623e5fcf044c6a28f4b2e483f4426d90b604f84eaa842456749c49b1ba2f8ed77b8e00f1ad23df47294135adb2b15c9bb53a315