Malware Analysis Report

2024-10-19 13:26

Sample ID 240614-gwtpdaxgpe
Target a8444d28197e06d165e39dfdc453e9f5_JaffaCakes118
SHA256 59c6fa98a482bc60fcbe92538d0f66b7258d5c513a62eebd50cdef11208ae13b
Tags
evasion
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

59c6fa98a482bc60fcbe92538d0f66b7258d5c513a62eebd50cdef11208ae13b

Threat Level: Shows suspicious behavior

The file a8444d28197e06d165e39dfdc453e9f5_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

evasion

Checks known Qemu pipes.

Checks Android system properties for emulator presence.

Checks Qemu related system properties.

Requests dangerous framework permissions

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-14 06:09

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 06:09

Reported

2024-06-14 06:12

Platform

android-x86-arm-20240611.1-en

Max time kernel

3s

Max time network

159s

Command Line

com.lerays.weitt

Signatures

Checks Android system properties for emulator presence.

evasion
Description Indicator Process Target
Accessed system property key: ro.product.device N/A N/A
Accessed system property key: ro.product.model N/A N/A
Accessed system property key: ro.product.name N/A N/A
Accessed system property key: ro.serialno N/A N/A
Accessed system property key: ro.bootloader N/A N/A
Accessed system property key: ro.bootmode N/A N/A
Accessed system property key: ro.hardware N/A N/A

Checks Qemu related system properties.

evasion
Description Indicator Process Target
Accessed system property key: ro.kernel.qemu.gles N/A N/A
Accessed system property key: ro.kernel.qemu N/A N/A
Accessed system property key: init.svc.qemud N/A N/A
Accessed system property key: init.svc.qemu-props N/A N/A
Accessed system property key: qemu.hw.mainkeys N/A N/A
Accessed system property key: qemu.sf.fake_camera N/A N/A
Accessed system property key: ro.kernel.android.qemud N/A N/A

Checks known Qemu pipes.

evasion
Description Indicator Process Target
N/A /dev/socket/qemud N/A N/A
N/A /dev/qemu_pipe N/A N/A

Processes

com.lerays.weitt

getprop ro.product.cpu.abi

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 216.58.201.110:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp

Files

/data/data/com.lerays.weitt/files/libexec.so

MD5 b373c875e5f94591bef495c900b9117b
SHA1 540f1dad31b336619402a0c56715c749d60fa3a7
SHA256 7d91ea267e66a41f11e3266f7c25dad9a02f8b798e36b66f6c7b8757eb2b8b98
SHA512 6529d0c6c746bcfc9ab3e249bc8064f8b0246fda03dd7ba1a205985def030f8a873754f90d7b6a3ca0f7c567f66ee3e2a08b623baabf044680233000f6af45d3

/data/data/com.lerays.weitt/files/libexecmain.so

MD5 bc0800b3b012152cb0777c37095bd112
SHA1 dbc55b0412436cde0525d31982ed4d1ee1472329
SHA256 465d0e121f47af6242f8d62bfcb94d9574de8f59d3bb4a8f58e59f7c996e9505
SHA512 77f28c55610ad14fad45cf5cb2bed971337d98703aaac3e4a1e10f88b9b9e754be19b6b6b28367365d662b6d63b8a7f49d4cb992f801dc85ba974af287186006

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-14 06:09

Reported

2024-06-14 06:09

Platform

android-33-x64-arm64-20240611.1-en

Max time network

8s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
GB 216.58.204.74:443 tcp
BE 142.251.168.188:5228 tcp
GB 142.250.179.228:443 tcp
N/A 224.0.0.251:5353 udp
GB 172.217.169.68:443 udp
GB 172.217.169.68:443 tcp

Files

N/A