Malware Analysis Report

2024-09-09 17:09

Sample ID 240614-fh358azckr
Target a80fd0638c4e0acbf3de6d886571d449_JaffaCakes118
SHA256 4a4a78e80799e5b011ee41759581945cb70e9d10a4777c67eaa56e194fb0a0a3
Tags
banker discovery
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

4a4a78e80799e5b011ee41759581945cb70e9d10a4777c67eaa56e194fb0a0a3

Threat Level: Shows suspicious behavior

The file a80fd0638c4e0acbf3de6d886571d449_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

banker discovery

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Requests dangerous framework permissions

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-14 04:53

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 04:53

Reported

2024-06-14 04:56

Platform

android-x86-arm-20240611.1-en

Max time kernel

8s

Max time network

131s

Command Line

com.rexsee.wangxiaoguang.DaBianChaoRen

Signatures

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Processes

com.rexsee.wangxiaoguang.DaBianChaoRen

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 216.58.204.78:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp

Files

/storage/emulated/0/.UpBrowser/app/com.rexsee.wangxiaoguang.DaBianChaoRen/com.rexsee.wangxiaoguang.DaBianChaoRen.png

MD5 be2873355b0026ef15df72fc2fc21e30
SHA1 18cf219c4abc8f74faf74e3db3dfa2d1d077f132
SHA256 29f7873949dba84ab51d2c63650887e1006b2aa66d2325dbb380377a4594446f
SHA512 a9597f81ec41a7d6eb1365271f45cdf130956616b634825fed1b58576b97229fc5b99377ca09f688d517bca3d97763c2b8f5b8da14f79129a1076e58b816243b

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-14 04:53

Reported

2024-06-14 04:56

Platform

android-x64-20240611.1-en

Max time kernel

8s

Max time network

132s

Command Line

com.rexsee.wangxiaoguang.DaBianChaoRen

Signatures

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Processes

com.rexsee.wangxiaoguang.DaBianChaoRen

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.187.200:443 ssl.google-analytics.com tcp
GB 172.217.169.10:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp
GB 172.217.169.78:443 tcp
GB 142.250.179.226:443 tcp
GB 172.217.169.42:443 tcp
GB 142.250.187.196:443 tcp
GB 142.250.187.196:443 tcp
GB 172.217.169.14:443 tcp

Files

/storage/emulated/0/.UpBrowser/app/com.rexsee.wangxiaoguang.DaBianChaoRen/com.rexsee.wangxiaoguang.DaBianChaoRen.png

MD5 be2873355b0026ef15df72fc2fc21e30
SHA1 18cf219c4abc8f74faf74e3db3dfa2d1d077f132
SHA256 29f7873949dba84ab51d2c63650887e1006b2aa66d2325dbb380377a4594446f
SHA512 a9597f81ec41a7d6eb1365271f45cdf130956616b634825fed1b58576b97229fc5b99377ca09f688d517bca3d97763c2b8f5b8da14f79129a1076e58b816243b

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-14 04:53

Reported

2024-06-14 04:56

Platform

android-x64-arm64-20240611.1-en

Max time kernel

7s

Max time network

137s

Command Line

com.rexsee.wangxiaoguang.DaBianChaoRen

Signatures

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Processes

com.rexsee.wangxiaoguang.DaBianChaoRen

Network

Country Destination Domain Proto
GB 172.217.16.238:443 tcp
GB 172.217.16.238:443 tcp
N/A 224.0.0.251:5353 udp
GB 216.58.201.106:443 tcp
GB 216.58.201.106:443 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.169.72:443 ssl.google-analytics.com tcp
GB 172.217.169.68:443 tcp
GB 172.217.169.68:443 tcp

Files

/storage/emulated/0/.UpBrowser/app/com.rexsee.wangxiaoguang.DaBianChaoRen/com.rexsee.wangxiaoguang.DaBianChaoRen.png

MD5 be2873355b0026ef15df72fc2fc21e30
SHA1 18cf219c4abc8f74faf74e3db3dfa2d1d077f132
SHA256 29f7873949dba84ab51d2c63650887e1006b2aa66d2325dbb380377a4594446f
SHA512 a9597f81ec41a7d6eb1365271f45cdf130956616b634825fed1b58576b97229fc5b99377ca09f688d517bca3d97763c2b8f5b8da14f79129a1076e58b816243b

Analysis: behavioral4

Detonation Overview

Submitted

2024-06-14 04:53

Reported

2024-06-14 04:56

Platform

android-x86-arm-20240611.1-en

Max time kernel

165s

Max time network

139s

Command Line

rexsee.up

Signatures

N/A

Processes

rexsee.up

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 www.rexsee.com udp
CN 59.110.27.139:80 www.rexsee.com tcp
GB 216.58.212.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp

Files

/data/data/rexsee.up/databases/application.db-journal

MD5 904c40ef94e337d88ad21641beb69ed5
SHA1 f99a75326b5ebe36da4d8744dd6c8a9092d73e77
SHA256 11b464b3a9c6086e4edda5398fe26ca78d35755925e015a3e5b26cd68895a841
SHA512 4baa7ba004dcf5e8ec6b400a62993513a5fc58b29559f1625208febcb7c30f381a775228f6183f15b1e7ba8f43220598aa1e90d92e9afb6de0c95d3d0c6bf4c3

/data/data/rexsee.up/databases/application.db

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/rexsee.up/databases/application.db-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/rexsee.up/databases/application.db-wal

MD5 8087c5d0a9c4b3ca6c9381042de766a1
SHA1 186a0b027a390e6a325d2702e90d28b71e42f091
SHA256 161b0ab37be87a37e9c748c54a4c94b4ded6db6be91afa17e1e276799b2ea760
SHA512 e3976910f35e51a2e6da2cffe1c2c37949eea18e8754f76938d7503c6482c997df0f1b7b933e710fd4d2e9f7c03f0e0bb9b7e8663fe5a5c8739954c4a6121edb

/storage/emulated/0/.UpBrowser/null/log/20240614.txt

MD5 ae4afbd8aa7f74bd720f8b1fece8861a
SHA1 cf9f107b7f3776f4915c7d73d11d235b6bf2512b
SHA256 78c1e71af5a1014958c8fb5551564a242a1e9384e3560577741524bbf7b46c70
SHA512 14a55d73e483b3dcf7dadaf6779df0d842fbe1f1964a0e6b8a9de24a4d33bbd9f44ac0aeef0f295bbaad264e2eede9846da107c52c7ae21ba57104cc67b485c8

/storage/emulated/0/.UpBrowser/null/log/20240614.txt

MD5 fe01b445fa8adf2856cc146e3a79488e
SHA1 af9d14c6458473151aa495b5950c6bd13a752831
SHA256 b5aa0dcc975d5142924f32f51eb230e7aad5aa9d17a5b004b415740841a9e76b
SHA512 97edffb29fb0c39d2cab313e23017b262711d097d4d7ae441efe36bedf88644bad65dc9a62f6bc726cb38a93ab7ee2b2ca8fa77d37443f8ac5534581fc7918f0

Analysis: behavioral5

Detonation Overview

Submitted

2024-06-14 04:53

Reported

2024-06-14 04:56

Platform

android-x64-20240611.1-en

Max time kernel

138s

Max time network

151s

Command Line

rexsee.up

Signatures

N/A

Processes

rexsee.up

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.179.234:443 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.169.8:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 www.rexsee.com udp
CN 59.110.27.139:80 www.rexsee.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp
GB 142.250.200.14:443 tcp
GB 172.217.169.66:443 tcp
GB 216.58.204.78:443 tcp
GB 216.58.201.100:443 tcp
GB 216.58.201.100:443 tcp

Files

/data/data/rexsee.up/databases/application.db-journal

MD5 f1dae240dbdfdb096c095a12716d3779
SHA1 f859c5c158be90bbb71193393e242e17a3a54a10
SHA256 2c9be9989c26a49ab093b06af9c9be7de8e5fff5b16b9e5087a912f2c7c1a246
SHA512 b4b55b77595eef7cd47009bfd6f1fd476303addfcd08b1fb81c73b8acef1c99f583e0615c258088966ff753d3118ebdd2d582cfdeeae9f8f9a375b67d842c857

/data/data/rexsee.up/databases/application.db

MD5 e4172056924278dd25a7436a47e68a8e
SHA1 9372e3fc8e117b0d26908ea88fa7f7eff295fa94
SHA256 7488e6d5652eb46c37d1bdd880fe65acb1a1fb903a165f9ec13271016c75ecd5
SHA512 8460f0df2e75b689a03784432338832499c8dbd2383bf84e3a46d9b20e2c078b70a73ae2c36787b620cc759fdcd5284bbc452a7d5e77deb7a0e773343f440935

/data/data/rexsee.up/databases/application.db-journal

MD5 5643ec327d0942ef8cbff227aa1b0ebb
SHA1 73244e8e6a44b1855a1819c202ad451715baeabe
SHA256 8ec6e455717bc704f149d1e65ae5fdcadb082a5f1567ad329d1bd93f2890b54e
SHA512 b9286c7f514ece331f852ee42358d03ca9aef50867ab77d273c7d405650599a98f4d6fc634cf8d2b6bf4a1eac9fac7e1e27339717469798b0da414c7104a89e9

/data/data/rexsee.up/databases/application.db-journal

MD5 e738e744e23b2a81f133e29b7bfdc135
SHA1 015a58e717fe54386f793b8cc512c8477af0cd29
SHA256 9c8c9715564a141ef15a42a5a818d47c40a2b9b6fa97dda74bdad4015dd18933
SHA512 07cee32790b4e19c11a4a817df8193e2789b86b087dfe26385629219a44b4dde855fa0eb453328de16a24854a4268010d2f1c10b1cf40f1647683bb8e796c07b

/storage/emulated/0/.UpBrowser/null/log/20240614.txt

MD5 ae4afbd8aa7f74bd720f8b1fece8861a
SHA1 cf9f107b7f3776f4915c7d73d11d235b6bf2512b
SHA256 78c1e71af5a1014958c8fb5551564a242a1e9384e3560577741524bbf7b46c70
SHA512 14a55d73e483b3dcf7dadaf6779df0d842fbe1f1964a0e6b8a9de24a4d33bbd9f44ac0aeef0f295bbaad264e2eede9846da107c52c7ae21ba57104cc67b485c8

/storage/emulated/0/.UpBrowser/null/log/20240614.txt

MD5 261f3c22328f9e10025214d52a7bc1c3
SHA1 32c577c3601ad55ab84563c4c843846fd3430381
SHA256 c8b4a65bccdf341464bfdb40b27069d50863c663dec414f8e2cd2319147e1811
SHA512 6e18f47e7f3e4c0bbb114db0532c3a7ef598b1884e7c46ad584a772910cf4ff33b3301fbc9462cd74f433b58831449fd48eb89f30b2767b3b600ce014dd05412

Analysis: behavioral6

Detonation Overview

Submitted

2024-06-14 04:53

Reported

2024-06-14 04:56

Platform

android-x64-arm64-20240611.1-en

Max time kernel

135s

Max time network

166s

Command Line

rexsee.up

Signatures

N/A

Processes

rexsee.up

Network

Country Destination Domain Proto
GB 142.250.187.206:443 tcp
GB 142.250.187.206:443 tcp
N/A 224.0.0.251:5353 udp
GB 216.58.212.234:443 tcp
GB 216.58.212.234:443 tcp
US 1.1.1.1:53 www.rexsee.com udp
US 1.1.1.1:53 ssl.google-analytics.com udp
CN 59.110.27.139:80 www.rexsee.com tcp
GB 142.250.200.40:443 ssl.google-analytics.com tcp
GB 216.58.212.196:443 tcp
GB 216.58.212.196:443 tcp
GB 216.58.201.110:443 tcp
GB 216.58.213.2:443 tcp
GB 172.217.169.10:443 tcp

Files

/data/user/0/rexsee.up/databases/application.db-journal

MD5 10d5e95916a7ce504b3ba789aa68b148
SHA1 bdab95838ff2f7eadc88523ecbd7ffe4bf1122dd
SHA256 890a082192f3df83ebeb38a2921527e0b019b78534d5a88c1515b3423f5389f1
SHA512 7b1d7a1e07546e0d8976ce9d37e96ab030a21cd55d2fef36b2acc11e8d381601a2d408cbf4a52e27beb2d48a178d80f73edd067878766308c676b7fc49657f47

/data/user/0/rexsee.up/databases/application.db

MD5 b247e8d5c7da0552b3f6e0507fbcfce7
SHA1 073cc8b8f2eaf2843ac5efd9c92ff892b8a725da
SHA256 fe04c465bd7fc1668e4d8b113d0c3d1e8eef4df69f0be8d80c71f66aef80069d
SHA512 a8e710953834cc02a87b4a47326bd263ed13c6e37a0f1c338024b8f7c0ca50633f122eb383198c2eeb2dfcda739ac9d8e714697849843b066af77e25af432e22

/data/user/0/rexsee.up/databases/application.db-journal

MD5 d6ba1df4bbaf76976513fedaff3f82fa
SHA1 089d4c23546944b2c6677a11f1d7b6e5b32c9d82
SHA256 79edc73b4967421d51fe4799ae7f53f0e610597e5719d4fb3a41a7e2200b57e1
SHA512 b009ebe662ba83deb55e76f77c5ef7cb61c0945b52b012ebb59bcef657c7e320a551afd3cb6b9ac1bb52f880ee17fced9fa6a64a55962e17387c10a7b1b69fc0

/data/user/0/rexsee.up/databases/application.db-journal

MD5 f7f939a2ec1427776a662456a70eb853
SHA1 4b018e760a55a15f2ff499359f596d3223eaf8ac
SHA256 387576f010f3d7333a9e5966d75cdef0a176526c4f9fd172c38c988e7f498fbc
SHA512 4f1ad7a919cbccb6ac03c2b63182c96f64112f19087efad8e7fcfbe9868164c0f5c8faad2370fae10c39a800ee611a706ddfc649dfb92d40f3deedfe70d69067

/storage/emulated/0/.UpBrowser/null/log/20240614.txt

MD5 b3a6a8afd1718744d9f7786a8c193d71
SHA1 b03cb22cddbf9702745200582048e23b1ce7c6dd
SHA256 00e2fe5fd7c21b965b6db8792f13ab0b236668c7101afe6f82f9cfb4d1c8fff0
SHA512 2b0d6e11409676d259cbecd3def6e58bd54e6a4047c8779629e58eee7c008ce645d26b584a7e346930a3df81b001b4da58419dff48ded8af002ce4e256c283ce

/storage/emulated/0/.UpBrowser/null/log/20240614.txt

MD5 cdec3abe40be7d216bb45e559476c3d9
SHA1 db61faf3c1023d6ada3d631f8e1cb3b55109d2af
SHA256 5f5b60dd0257faa6e61147cc43ef0e448575ec9f6b41e21748d67453ec54e1b2
SHA512 08be47ebe7c537cffe9dcee612f7723c9471d0f9dffb00ddc679d1d0f9a8a1edc0e36ff694e42071b305f68ab62ad0a82f450480a581bef22b7008bcd6646afa