Malware Analysis Report

2024-09-09 17:38

Sample ID 240614-hs782atalk
Target a86f0c1a99695be623b5f8f3fc56520e_JaffaCakes118
SHA256 650dbee998f8e62aa9c78778785f79159e938091096e11aec38317046271d352
Tags
banker discovery evasion impact persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

650dbee998f8e62aa9c78778785f79159e938091096e11aec38317046271d352

Threat Level: Likely malicious

The file a86f0c1a99695be623b5f8f3fc56520e_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

banker discovery evasion impact persistence

Checks if the Android device is rooted.

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Requests dangerous framework permissions

Queries information about active data network

Queries the mobile country code (MCC)

Queries information about the current Wi-Fi connection

Checks the presence of a debugger

Listens for changes in the sensor environment (might be used to detect emulation)

Uses Crypto APIs (Might try to encrypt user data)

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks memory information

Checks CPU information

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-14 07:01

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 07:01

Reported

2024-06-14 07:04

Platform

android-x86-arm-20240611.1-en

Max time kernel

107s

Max time network

159s

Command Line

com.lydiabox.android

Signatures

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /system/app/Superuser.apk N/A N/A
N/A /system/xbin/su N/A N/A
N/A /system/bin/su N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Checks the presence of a debugger

evasion

Listens for changes in the sensor environment (might be used to detect emulation)

evasion
Description Indicator Process Target
Framework API call android.hardware.SensorManager.registerListener N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.lydiabox.android

getprop ro.product.cpu.abi

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 cn.avoscloud.com udp
US 1.1.1.1:53 cdn.lydiabox.com udp
HK 168.206.13.169:80 cdn.lydiabox.com tcp
US 1.1.1.1:53 lydiabox.com udp
HK 168.206.13.169:80 lydiabox.com tcp
US 1.1.1.1:53 api.share.mob.com udp
US 1.1.1.1:53 ark.cocounion.com udp
CN 180.188.25.42:80 api.share.mob.com tcp
CN 180.188.25.42:80 api.share.mob.com tcp
HK 168.206.13.169:443 lydiabox.com tcp
US 1.1.1.1:53 s0.lydiabox.com udp
US 1.1.1.1:53 s0.tinydust.cn udp
HK 168.206.13.169:18080 s0.lydiabox.com tcp
GB 216.58.204.78:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp
US 1.1.1.1:53 api.share.mob.com udp
CN 180.188.25.42:80 api.share.mob.com tcp
US 1.1.1.1:53 api.share.mob.com udp
CN 180.188.25.42:80 api.share.mob.com tcp
US 1.1.1.1:53 api.share.mob.com udp
US 1.1.1.1:53 api.share.mob.com udp
CN 180.188.25.42:80 api.share.mob.com tcp
CN 180.188.25.42:80 api.share.mob.com tcp

Files

/data/data/com.lydiabox.android/files/.Fabric/com.crashlytics.sdk.android.crashlytics-core/666BEAC900E3-0001-10D4-FB3AA4D9F8D3BeginSession.cls_temp

MD5 48169f2645afd09ec794e373cf40c6b9
SHA1 92de34428f99484ccf07a488cdcf82424f815e03
SHA256 74be8cbbe671294c32778f8c69044868c8f0ecff7b48c96a1d7b3fb50ed50bed
SHA512 699df860735fc80976e1690a36944929a30bded16f26f5cd8b1b8b534396735dd86e4774728366d603e3470a1e609e8b009f9c2e0f28f64a7d3b5b584238a71a

/data/data/com.lydiabox.android/files/.Fabric/com.crashlytics.sdk.android.crashlytics-core/666BEAC900E3-0001-10D4-FB3AA4D9F8D3SessionApp.cls_temp

MD5 bebc41720d2249143be655409518b05a
SHA1 9d2440ae47d2fc4bd35fa77af05c9f1e275769b9
SHA256 dac52dc8a14b695363c2ed20cec4049261b5742d976d950d8b34b95b79119324
SHA512 010dc31f5da4ae75c063e6f6cb39c34935941beb73227bb8cab339b42ead995b946bba6016bc964c5a454c74bb87426c39d3b6d97c4c6f29414764a741217841

/data/data/com.lydiabox.android/cache/CommandCache/d53b9b0842e73f5fcd845b3c7510ce18

MD5 b67651a4fa9c3dca45f3938db3729e14
SHA1 ab439ca5e70bb6e0dec22716193cd9d84304b39d
SHA256 cff8824cfa32afbaa7f8d6ad7b1e1302a48257b78012c105fe43143a93a12af9
SHA512 9404f0dce13533d0bd6b803af3b260ef375def983e89c581d9155726512648535c43ba937e84bcd8c6227704ac9ef5dae3bbd3ef8cddde8cb621037f9eb49290

/data/data/com.lydiabox.android/files/.Fabric/com.crashlytics.sdk.android.crashlytics-core/666BEAC900E3-0001-10D4-FB3AA4D9F8D3SessionOS.cls_temp

MD5 9b3d4522944ce6396563812bfdb92fa9
SHA1 6d2a6133c8f01938a48ccc77ef86ad8ca335c020
SHA256 d32805d685a3f50caa7f1c0bd7c8804c4d937a866513289f60e3184f7a591ed9
SHA512 091d87643712530bf9006135db42a5a50742bb5ca3026bcc5f2c1c17bf4fd984a8938d29263b0abde3d15cac196d2230902534e200b0b79485e3a1bd97d95727

/data/data/com.lydiabox.android/databases/mine_app-journal

MD5 ed208c049d337f001557f62792c1f5da
SHA1 dba4369840932b678ea06d4373ba6ebede4bcded
SHA256 e078188ae5c135a5143a9de38f16b435b64391cdf35d923619602bbb13c60c50
SHA512 b31e48f5dd37a7b30c9d55cc2398f0a6d4c6301b0f4f0abb80cfd46127e62a55957b3149e2da0edd1560a575a149b35d9335350f7c90d524c430e4a31bc6b7db

/data/data/com.lydiabox.android/databases/mine_app

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.lydiabox.android/databases/mine_app-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.lydiabox.android/databases/mine_app-wal

MD5 d6348994e74e0239f11a78910bb60028
SHA1 5eba9099508c160d435986b1880d58474ed02c9f
SHA256 939efff57273d997d149cd6bf890512f7f5e3a14b37e3bbafdeacc635fe8e375
SHA512 7625e425f5a98bbba252443107c645af2533768e091a5db72043898e1603eb5701496b2dabd418cfe5c187b3e2f801a9cd811e7fd8327949a7b3669c4d8b8709

/data/data/com.lydiabox.android/files/.Fabric/com.crashlytics.sdk.android.crashlytics-core/666BEAC900E3-0001-10D4-FB3AA4D9F8D3SessionDevice.cls_temp

MD5 83c39c4bbb0bec1726ac1214c9c0bcae
SHA1 7db17c52463333c6b31d0925392bc05ba05db4ac
SHA256 4d7583181bfffca87a47c58850d63085bb99e328b1f9008bf8470b307260c0c0
SHA512 0d587f8bc4be3d8ddd40d2504b14088ec9a418267acc6597aa4c137d0c3ff68160961edf551888d7864d3ae3f4cffa540228e5c61a9b61e39ad55dd26601833a

/data/data/com.lydiabox.android/files/.Fabric/com.crashlytics.sdk.android:answers/session_analytics.tap.tmp

MD5 c33583fae4e0b61cde1c5b9227963237
SHA1 fe2ebe4d27469af1460f7e852031a04208ef629b
SHA256 35c6d6e5b93657e4a741a1cec71c21813fe05aab219909ebbb0f62fb0ae648dc
SHA512 fa09047004bec791b23f0dade0b64f8ab9bbd67555505e0d0818f6e89dfe56f474df80db0786d081d36adf23a5bacea40275ba043444a3a85d3d9612575bdd1e

/data/data/com.lydiabox.android/files/.Fabric/com.crashlytics.sdk.android:answers/session_analytics.tap

MD5 b43b114920b150d658872164e9e9723b
SHA1 3f7c81b19d805ed1aa0b7397adb0725de6b7760b
SHA256 75cfa47a6c40e222118b91bea82c5afd1f61343b171c0da72e018487660008bb
SHA512 63da4647967e331c4389c3fdc9e449600954e3889f3f540d188b23bb1320d351414cc1dd0c0aac3a5f2f6b5f1b2339b075beed6b52face49c34841aa97571734

/data/data/com.lydiabox.android/files/.Fabric/com.crashlytics.sdk.android:answers/session_analytics_to_send/sa_ff8cfcdd-2855-48aa-a7ef-1f50923a76d6_1718348490287.tap

MD5 44d8d68cfc21445cd451e4d2b6949891
SHA1 2d94343736b774482f2bd1e759a55f0fc30a03a5
SHA256 42022eb0a6b58392277190d8b1b615a7f55b5832d169776653d7bcc1852159c2
SHA512 8e21db3ee240b85d850a289695e721d77f79295f8e7f832dbb4eebe7e26b399794fd50f739241be878018ba02640813b2a3fef09ff0e48e5a83f86599205525f

/data/data/com.lydiabox.android/files/.Fabric/com.crashlytics.sdk.android:answers/session_analytics.tap

MD5 5cc230fb03ebe43433d508dbc88e67fd
SHA1 0452ccdaba89834e13fe309208428c5747df82b7
SHA256 51776ace5cb7042718ee4f354770592ee247303e49a7183f2ddb41da02115f5c
SHA512 9fc01cd4e19656e29ecbdabd1a7d38a383d10fd8b940eeaf982deb89774eec9bc12ef022ca945986761c02057905e5a7a4d4c0951c19fd71705e9f4a78fd136d

/storage/emulated/0/DCIM/clog

MD5 2898d52238d521fd94d4e9261512bcbb
SHA1 96f2776b4293072448c43872177e95518d994b2b
SHA256 1d266171686493e4220879163ea68034f7a05313d2e03980371d14b58631f80c
SHA512 8d40e88d9755e27e9198aeb5a9b04b57a67f275f8ebb0e056117d13f33a6cfa44ff4a3bf81a748baca065b080c92e7be5fbc4d5a0953854b5c7cb669231be3ee

/storage/emulated/0/ShareSDK/.dk

MD5 c9383021bd97affc44be4db7018c4d7b
SHA1 7e680409d1c86e35149bebc22f2cf8c484f0d23e
SHA256 b7b7e032170e3190a84359e5c37adede1d58b6bf4c455ef0c01f73335709bb65
SHA512 7303f068da97319891e2d25c1c737035f1cfdc365d75d954102b612000e54d7e2b5dfafe10bdf909563e2b46ec3ff9e546423bff6f0aa9496880eab1c1c36a81

/storage/emulated/0/joyCache/analyse/423647758/h/1718348492307

MD5 f0e93ecf9c40ddd13034a73d773d8651
SHA1 cf0d99effc1f47bf457a52a19e2b7b9e12029e8b
SHA256 067073cf8ee94700ceefa38e9ad8e2f64910cced17fd301b443dd1f7bda2b812
SHA512 1bbb670006c5c55b26f238e907e2bab8ae8667dba0cba39a27139e6bfad7b8e4ffcb2b9884cf77454c81f48f9fc18abb452db9a05556bcfa7855f1468421ae9a

/data/data/com.lydiabox.android/databases/sharesdk.db-journal

MD5 53470d2fbb9f46690336f77cc27d103e
SHA1 fbe8dee985e1fce5a8f2c67e0e7b0b97b498da63
SHA256 211b3cab999c96e3d49a4b92a96d21ae148206da80c19fab9edac356d6204054
SHA512 93c6b131186e70468d1792b08d956c15e3b4c91421dd33e4292fdda3ac63c2c79e2853f98227397ce3e829ead4417c237c50f31fb3fb9616c8a092e340a1c005

/data/data/com.lydiabox.android/databases/sharesdk.db-wal

MD5 36c4bca784973b3175c9c7c78846c956
SHA1 3dc17940cf99c13a4c201ef2542c3283c5477107
SHA256 338096f8f52b87de7fa6140708d87434a1e9d56318e355e60c1c83b0a312140e
SHA512 d90ac8f9bbbac449a44d0647c57b6d16704746949ec74c5a375c441721df2d92fecf8fbbe388fb5cbe86bd088c81ba6ccc86069ecd5e5db36ede27a653445456

/storage/emulated/0/ShareSDK/.ba

MD5 9af6a304b00906aece9e3b9126a6c68a
SHA1 3cf951a1721c7c869a08a47efc82a8d47b950f5d
SHA256 91afb5f61141567268ac420d1741175e455900b396403511e0c5ed20c81792e2
SHA512 1b0c648297df4da18d7c60215d5c4eed0e1d6b9bb2bcce6f544b0a685067f9388d1978a9f48701620d780b6a43184831a755a03b966df6d0d9a330f4545f40da

/storage/emulated/0/ShareSDK/.ba

MD5 386fb9ecdade2a851de9f32b3e077b77
SHA1 62739c98d755e6dbc1266dfbc929611865127a0b
SHA256 07e2405e00d60226053f8259de544edc75b0b814b3d92544c8b5395e15b5fa99
SHA512 97e67a06cbd39bbe015f7a7845e2de1e03bad5a4c4711e797fe5feb7ddbe2729eab2fe7d6a413a221122a21ad0e37388e389a44217bad69581628302fb0578d1