Malware Analysis Report

2024-09-09 17:37

Sample ID 240614-kl179awgnq
Target a8c8f67e00c198984043a0449c58a2dd_JaffaCakes118
SHA256 a8e987a5d4dbf117201b8f0aa2e185968e08cd14d4b69ddd51edaec6e6d8ae1e
Tags
discovery impact persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

a8e987a5d4dbf117201b8f0aa2e185968e08cd14d4b69ddd51edaec6e6d8ae1e

Threat Level: Shows suspicious behavior

The file a8c8f67e00c198984043a0449c58a2dd_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery impact persistence

Queries information about running processes on the device

Requests dangerous framework permissions

Queries information about active data network

Registers a broadcast receiver at runtime (usually for listening for system events)

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-14 08:42

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-06-14 08:42

Reported

2024-06-14 08:42

Platform

android-x86-arm-20240611.1-en

Max time network

4s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
GB 172.217.169.74:443 tcp
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2024-06-14 08:42

Reported

2024-06-14 08:42

Platform

android-x64-arm64-20240611.1-en

Max time network

8s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
GB 172.217.16.238:443 tcp
N/A 224.0.0.251:5353 udp
GB 172.217.16.238:443 tcp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-14 08:42

Reported

2024-06-14 08:42

Platform

android-x64-20240611.1-en

Max time network

9s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-06-14 08:42

Reported

2024-06-14 08:42

Platform

android-x64-20240611.1-en

Max time network

7s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-06-14 08:42

Reported

2024-06-14 08:42

Platform

android-x64-arm64-20240611.1-en

Max time network

6s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
GB 142.250.187.206:443 tcp
GB 142.250.187.206:443 tcp
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-06-14 08:42

Reported

2024-06-14 08:42

Platform

android-x64-arm64-20240611.1-en

Max time network

9s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-06-14 08:42

Reported

2024-06-14 08:42

Platform

android-x86-arm-20240611.1-en

Max time network

6s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-06-14 08:42

Reported

2024-06-14 08:42

Platform

android-x64-20240611.1-en

Max time network

8s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 08:42

Reported

2024-06-14 08:45

Platform

android-x86-arm-20240611.1-en

Max time kernel

2s

Max time network

161s

Command Line

com.shuame.rootgenius

Signatures

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.shuame.rootgenius

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 m.xf-conn.qq.com udp
US 1.1.1.1:53 oth.update.mdt.qq.com udp
US 1.1.1.1:53 m.xf-stat.qq.com udp
GB 216.58.212.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.179.238:443 android.apis.google.com tcp

Files

/data/data/com.shuame.rootgenius/files/beacon/comp/1.jar

MD5 4f198eb855b4409968888cc350a4d65f
SHA1 5bccbd8f60564cbf7930576119b790cc311a13e0
SHA256 d4f5a27326ca3b146a84122d04f01365459fb0cd63c34576f9957dce0df130f3
SHA512 5bf1db583b205fa84fa8c6637c80eed639f2a1acc3a0a73711c5f51444b064116bfbde23df15110d8cef78cb7792d744a6bbd6526adda65f842155c30785b371

/data/data/com.shuame.rootgenius/files/beacon/comp/9.jar

MD5 78fda54d578e58f8eb258237c776f472
SHA1 b906eba1749b99a5119aaacabcb7fc0ffd16bf3f
SHA256 7f7e8e10a3d14416c033231ab70c649bff6b4ec4af9a8f34cb177b64182998d8
SHA512 d36331fb108e464fd18d4f35f79d0fc30ee0ab8575e4acc2bcbe332686cf1b1641499c09b2c0f8f0d28d663e7ed2d1dd8f16f7ab23a53a38ebdb9c58ee6259c3

/data/data/com.shuame.rootgenius/files/beacon/comp/5.jar

MD5 0f007704fec9b983054009f7d9dd593a
SHA1 3ab6b7d14f326d4aa6279eb41465a98b1603abfe
SHA256 696a941f6a45156144e4baacef4a8b8ae187a70c92137d9f6077995334ba45a4
SHA512 c5725dcf0c21112b20a0b89274bdf077d78b97986d57ac546e5c9b48ba4ea9b68e74bc4dddf873d368a32397bbccb3f9a83707c6f8fa7856315ed9ca27715437

/data/data/com.shuame.rootgenius/files/beacon/comp/libBeacon.so

MD5 a99856a4a0b5766f911370d5adf38fa2
SHA1 f8e2a1cc14f1156e833bf6931069acab3953a640
SHA256 80471bf1bdb73969bb4b75ff0050fb5e400a1fcd6053c9d0ae859eb993bb38c6
SHA512 6fa88c0a04ae114107060c8deb3b0944fa5d9b7d58420d9bdb66af34d2a1711617ee2246dee2b28fbdf35e219b8346ba22420f8c957ec4f2116b47cfa244f6b8

/data/data/com.shuame.rootgenius/files/Data/Bin/busybox

MD5 6a2981220018d857a6372e93d63636b0
SHA1 fcf6434ebfdf2d28cff6577becea3af00dc1a104
SHA256 416299b0a604a5370c349be30279e2294eec620af29a70c66e570d53994da903
SHA512 fd4a15a53395e33010ba30fe04b049d8b40f94629f6dd1fa53c647a28c4e7f43501f2294dc0578730de75731ab607a2b644772351711e83923b393dad74c474d

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-14 08:42

Reported

2024-06-14 08:42

Platform

android-x86-arm-20240611.1-en

Max time network

7s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
GB 216.58.204.67:443 tcp
GB 142.250.178.10:443 tcp
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-06-14 08:42

Reported

2024-06-14 08:42

Platform

android-x86-arm-20240611.1-en

Max time network

7s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
GB 142.250.180.14:443 tcp
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-06-14 08:42

Reported

2024-06-14 08:42

Platform

android-x64-arm64-20240611.1-en

Max time network

8s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-06-14 08:42

Reported

2024-06-14 08:42

Platform

android-x64-20240611.1-en

Max time network

5s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A