Malware Analysis Report

2024-09-09 12:54

Sample ID 240614-gw92cs1hlj
Target a844db6c33af9995ae278e6faef2291b_JaffaCakes118
SHA256 503961a0cb2cf1784cdd28b558b059bcf5e74b6d0b125c7c9255405139f21242
Tags
persistence collection discovery evasion
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

503961a0cb2cf1784cdd28b558b059bcf5e74b6d0b125c7c9255405139f21242

Threat Level: Shows suspicious behavior

The file a844db6c33af9995ae278e6faef2291b_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

persistence collection discovery evasion

Requests cell location

Queries information about active data network

Queries information about the current Wi-Fi connection

Requests dangerous framework permissions

Registers a broadcast receiver at runtime (usually for listening for system events)

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-14 06:10

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 06:10

Reported

2024-06-14 06:13

Platform

android-x86-arm-20240611.1-en

Max time kernel

153s

Max time network

151s

Command Line

com.zl.tk

Signatures

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Processes

com.zl.tk

Network

Country Destination Domain Proto
GB 142.250.180.14:443 tcp
N/A 224.0.0.251:5353 udp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.180.14:443 android.apis.google.com tcp

Files

/data/data/com.zl.tk/data.png

MD5 4fbbf9e0f0df2711f56befcef073e59f
SHA1 72e7e8e7ad681fee33221d216340d8f47884f28b
SHA256 f5fa3df344c2f3b889b7f697150c18c7ff21f8efed20a71bfc5b08b2d129ecd9
SHA512 efd53fb2c217b43681a67cb261ce7f406115199b6752a4f35ec520dc645b0d7b1cad11f35daa6c5ce16e84d09074f5fbb0f0c1fc067abb0606787a7c5b93db62

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-14 06:10

Reported

2024-06-14 06:13

Platform

android-x86-arm-20240611.1-en

Max time kernel

2s

Max time network

157s

Command Line

com.alipay.android.app

Signatures

Requests cell location

collection discovery evasion
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getCellLocation N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Processes

com.alipay.android.app

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.213.14:443 android.apis.google.com tcp
GB 172.217.169.10:443 tcp

Files

N/A