Malware Analysis Report

2024-09-09 13:32

Sample ID 240614-hhg9vssfjr
Target a861b5adf601edea92c6f5ed1178866e_JaffaCakes118
SHA256 30d80b3e80b4971e34a3beb9d30269e8fe31187b74b95400321e4cee31ae3cd0
Tags
discovery evasion execution persistence stealth trojan collection credential_access impact
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

30d80b3e80b4971e34a3beb9d30269e8fe31187b74b95400321e4cee31ae3cd0

Threat Level: Likely malicious

The file a861b5adf601edea92c6f5ed1178866e_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

discovery evasion execution persistence stealth trojan collection credential_access impact

Removes its main activity from the application launcher

Obtains sensitive information copied to the device clipboard

Queries the mobile country code (MCC)

Registers a broadcast receiver at runtime (usually for listening for system events)

Schedules tasks to execute at a specified time

Checks CPU information

Checks memory information

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-14 06:44

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 06:44

Reported

2024-06-14 06:47

Platform

android-x86-arm-20240611.1-en

Max time kernel

24s

Max time network

131s

Command Line

com.zynga.crosswordswithfriends.hack

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.zynga.crosswordswithfriends.hack

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 freegeoip.net udp
US 104.21.81.232:443 freegeoip.net tcp
US 1.1.1.1:53 lp.androidapk.world udp
US 104.21.81.232:80 freegeoip.net tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp
GB 216.58.212.202:443 tcp

Files

/data/data/com.zynga.crosswordswithfriends.hack/databases/evernote_jobs.db-journal

MD5 86872e68994f1cf62b2fe2a3d3bbd979
SHA1 9c5214e9f859e741b096716495008592e2c74487
SHA256 5ae0eeb322aa5c3cf7883a9ddc52c05a1f6c41293b8499ecf568bb9eb36bb8a4
SHA512 c51b74310c8131b7ca2fd9508b8c0e78a530eea8dd5a8ca5f7d6899d61f9af0a06ca5b28c6a94f414460ba849ef758eca57fce3c8b20feead2dccb6746b9e91c

/data/data/com.zynga.crosswordswithfriends.hack/databases/evernote_jobs.db

MD5 5d85664f8e614fcaef42be2e6f649027
SHA1 09c6288922102f6114a823f4992415fd3373d61e
SHA256 55f8907e91226ef43a05583c7b4623b4e26994b62d20c8603975ccc1fa3b9409
SHA512 3d6006a3e82d00fe9bc443e940acc5df12ec84114fcbcf8fbc8099c085cb1229b21a217b7445129b50558bfef5100894686d7359eb80b7ef087b65c7be3bc6e9

/data/data/com.zynga.crosswordswithfriends.hack/databases/evernote_jobs.db-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.zynga.crosswordswithfriends.hack/databases/evernote_jobs.db-wal

MD5 0f4eaedeefb3659c1b6d766a20bd7651
SHA1 893345c3fe18f382385d369e44842bdeead0a07a
SHA256 9a69c1c527b90276d6dcecf99432308374df05d509687b1f0bb4d7dd9ad6a5dd
SHA512 271810f4cf19410a486da9fbcb618fb50fef3f6b824199351b26eacffc27e312bbe6d57801e5d0a796bbcb28d19a0f40068302b6e35a5c6b6d0670c42e09fc7f

/data/data/com.zynga.crosswordswithfriends.hack/databases/evernote_jobs.db-wal

MD5 40a0a04ca56a28defb32747c1fd3baf9
SHA1 f07638c57a3d8b333c0271ae21ef6a3fd76dfbe6
SHA256 b6d185df27015653380e320ac2206b421a94b7d69eb6a4a71aba21e1333378da
SHA512 17b92c1ae676fba6ac638bf62ea9e1c1d8452c923519539de29b2d5539651958eaf8da028475476c8789c9a5c249c232082b6b6af29ac30a80bc1414e2aba54d

/data/data/com.zynga.crosswordswithfriends.hack/databases/evernote_jobs.db

MD5 dc2fa02fb3ad817cbdffb94e547ee420
SHA1 d947a926c5abf5570c09bbcb8026ca5a40f0fe4b
SHA256 577d2cd4071b484acca06726a0f50e7688b1d462c211762202ce67072901a33a
SHA512 8262c10785a01dddfe7d96ca83241c9900c0f3d2b47bbda69a120846f0b411d4a56472636c25f5313627aca72be8a6d8b3c1afafc662d90c6d35d30ca512b4aa

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-14 06:44

Reported

2024-06-14 06:47

Platform

android-x64-20240611.1-en

Max time kernel

25s

Max time network

152s

Command Line

com.zynga.crosswordswithfriends.hack

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.zynga.crosswordswithfriends.hack

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.201.104:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 freegeoip.net udp
US 104.21.81.232:443 freegeoip.net tcp
US 1.1.1.1:53 lp.androidapk.world udp
US 104.21.81.232:80 freegeoip.net tcp
GB 172.217.169.10:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp
GB 172.217.169.78:443 tcp
GB 142.250.179.226:443 tcp
GB 142.250.187.196:443 tcp
GB 142.250.187.196:443 tcp
GB 172.217.169.14:443 tcp

Files

/data/data/com.zynga.crosswordswithfriends.hack/databases/evernote_jobs.db-journal

MD5 559c8a076accb2f88e7e2f05e4085675
SHA1 2cd740e180a42b28f732ac4cc055a5adb51056cb
SHA256 0ac5ffea64f916380403f9dbbc4a9c6bae6a25b2cc06ff569f1384a33d3dc1dc
SHA512 74dc58c94095e57b72081ca00e5472b267b38797bb93e4866a79db08f810acb1e28ed245a3ba53af3b26d6086041c43057de55b20b2d774c8733db94daf74496

/data/data/com.zynga.crosswordswithfriends.hack/databases/evernote_jobs.db

MD5 12627a2ec645c4a4bc50dba5903afd59
SHA1 504005c938517e61bcf68b65a055c2faba635c2e
SHA256 f177ffae9650eb4f407c2d9a510bb5a5abe1ece2fdfe24effc62478a1bfa5903
SHA512 7ff69589296e02383a217373399e75d8a82fa17146e4273f4c0eb630f096dd9f394a3324d60858b02f7e5cf177c82c6d966f5cbedb68ae6a98df7cc851b79cfd

/data/data/com.zynga.crosswordswithfriends.hack/databases/evernote_jobs.db-journal

MD5 e54a53c6048b6f5d9872a4102d18b3e4
SHA1 1c7a72fdf38d38acbd640f025ea0602319d98dfb
SHA256 0915b376f865f8083dc0f3bb825ec1079b2cbe733ea3e8f06ccaa83f22ae8374
SHA512 50341bcee3dba10e37c2cf10451b8cd2d8d6f6f1c2a6219df9fe0c905457a3f7720921f11b81c397737c42f41c933000a8c222e42479d31dadbcceada747dbe0

/data/data/com.zynga.crosswordswithfriends.hack/databases/evernote_jobs.db-journal

MD5 86a7bda04b0ce1e6607f9a6c4513cac3
SHA1 287e9ad7edfaa780ecc6877a2afebbd9cfc199ce
SHA256 37a0e09c5c318869e005f22f2b2bc8938788d72b545b025068aa61f7a8dbe2b1
SHA512 47ac24493f0285147ee00486fd5e5222659b5d350752159a4fe9f9cdcd4bff56f2a054ae0d0e278defeae8bab8da14f0533f7fd00c131d458ca0e19d5e0db7f5

/data/data/com.zynga.crosswordswithfriends.hack/databases/evernote_jobs.db-journal

MD5 b90620f14d526b0b7a31e52293757590
SHA1 8089ee6770fd1364e90b659cae3859eaaa9c3861
SHA256 a92b333bfa7a90865ac2731faca69651e4239faec6a523832d29fd9d1dc499cc
SHA512 8d726f08f257bb069fa7193cdf7aaa662aeed80d59f8a92c79bf664efc8f11d3c31096ce5f54855cb6249bafc88c09dafcdef5f4c17d606374e068e16f5d799e

/data/data/com.zynga.crosswordswithfriends.hack/databases/evernote_jobs.db

MD5 5e6479bbc08c61e215963834c60f9a02
SHA1 eb957f1f741d4be929d96fd1cdde2c029f845303
SHA256 30f08e3fffe5d26eb7f09ffc8daeb4782581d106d27d2a78327f07e5a7705355
SHA512 a812590ef5682d8d2149bc71e01d7fc56ad8512555f4b00de96377d6967f7949e5c8d68355ab80d9040b32ccea87ceeb8793f1fbb5482e3e89e227a453748ea0

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-14 06:44

Reported

2024-06-14 06:47

Platform

android-x64-arm64-20240611.1-en

Max time kernel

26s

Max time network

133s

Command Line

com.zynga.crosswordswithfriends.hack

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.zynga.crosswordswithfriends.hack

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 172.217.16.238:443 tcp
GB 172.217.16.238:443 tcp
GB 216.58.201.106:443 tcp
GB 216.58.201.106:443 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.16.232:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 freegeoip.net udp
US 172.67.165.196:443 freegeoip.net tcp
US 172.67.165.196:80 freegeoip.net tcp
US 1.1.1.1:53 lp.androidapk.world udp
GB 172.217.169.68:443 tcp
GB 172.217.169.68:443 tcp

Files

/data/user/0/com.zynga.crosswordswithfriends.hack/databases/evernote_jobs.db-journal

MD5 b5d30e32f9976f424fe596b9ed7fc67a
SHA1 bd2c33036ad483dac586a1fd5fd88c840cc3a261
SHA256 6f75b5d887d37c375145802ed11b53195586685c9629fce938a4501dec76abb8
SHA512 fe4a79330e9196e704c48a7f14d69036454e0def8f016b4e9ef75677d1b11f2d11035bef205dfe94b45a860b55f0581ed37bf01bcee63c3223e1cc91c814ba5a

/data/user/0/com.zynga.crosswordswithfriends.hack/databases/evernote_jobs.db

MD5 58c0b6e45328752b20ac6e719ac034f8
SHA1 372b2638afd00bbbc4034657b3df3d2e428fb367
SHA256 9d74f93afa5a179b1ba2f19f154b2880aa8b99c88209802099045a0874d2426a
SHA512 2d347d5824b9ab701e341c89e8327a95fd6bab8e92ee15ce9550da368d773e22bff304072a4854df5ab763750a7401f7aa61a49e3292d62c27fa9f20536eb3ab

/data/user/0/com.zynga.crosswordswithfriends.hack/databases/evernote_jobs.db-journal

MD5 bc8c9bca61820c563f96a1bdba547ee2
SHA1 c1de98395473ed7cbefa8b1a01970d28c2276676
SHA256 0884d531bd1f3b79cda6c66a279b0f494ba94f6164b25180fe4892106600df59
SHA512 9fb648457df0ba924da35bcb20d7e4a92895723198fdb2e27d2e16ad63d0aa7dbbd27eb34b3e02ae3ca943bc52ac245c549f149926c12eaa4a4532ab690d5955

/data/user/0/com.zynga.crosswordswithfriends.hack/databases/evernote_jobs.db-journal

MD5 b369b0de7b1a43f893b564ad6ed46f26
SHA1 b52e572a7eb7359de267b4b9afb801cb2c3930ca
SHA256 89638af749323715ad59e90d7ad797425adde313ebf86f9253665037f0f1b8f3
SHA512 07d29be95d641b74af450582175684ea3d58eb00c8dd5dfb18a38d58a66b772618027d34649501964d792b69dd5752b476cb15162bb7eab67eb4890ca70a7c26

/data/user/0/com.zynga.crosswordswithfriends.hack/databases/evernote_jobs.db-journal

MD5 2a36c5518fea44215c5c82f123bf72df
SHA1 25d90ed0f621f5616725e0f42e2637ca5be0870b
SHA256 8908ff12d08c437c3c4284cfcfa01b29976d56a1abc3f7e290615085a0b12fa5
SHA512 fa23a6fea6a66e3e182246bfc0b51b0c84fa1ac76346eee01f0fb052e08eddaa59e2375677beb93ee7466496806baa3cb30d6bc023fb86fb5a5e8e3d2ebf0efd

/data/user/0/com.zynga.crosswordswithfriends.hack/databases/evernote_jobs.db

MD5 2e0dbecb2180efc21252083113ee6a1b
SHA1 27d25ddbaac404019653edb4cc94a3d7d534c0f0
SHA256 3f9d03e0f6d5774fddaee86a93ae05012a4146a7bd0a484aa93f04b4594b7a84
SHA512 798295f9f0c58182e625d2c1b18022ab962023850e86f1f3d5330e927ad5ad46f0cadaa77b60ff22597683ee87258cf7ed00040a4469085f434270b177032c4e