Malware Analysis Report

2024-09-09 12:56

Sample ID 240614-ktedfstbnb
Target a8d37293242111cec03e08ceac1c5221_JaffaCakes118
SHA256 52b56ad1c8f1beb1f7d697c1377a408a11a992f35d66cd87212e725878273a83
Tags
banker collection discovery evasion impact
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

52b56ad1c8f1beb1f7d697c1377a408a11a992f35d66cd87212e725878273a83

Threat Level: Shows suspicious behavior

The file a8d37293242111cec03e08ceac1c5221_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

banker collection discovery evasion impact

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Queries the phone number (MSISDN for GSM devices)

Requests cell location

Queries information about active data network

Queries information about the current Wi-Fi connection

Reads information about phone network operator.

Requests dangerous framework permissions

Queries the unique device ID (IMEI, MEID, IMSI)

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-14 08:53

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-14 08:53

Reported

2024-06-14 08:56

Platform

android-x64-arm64-20240611.1-en

Max time kernel

7s

Max time network

132s

Command Line

cm.tuofu.a20140927081705

Signatures

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Requests cell location

collection discovery evasion
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getCellLocation N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Reads information about phone network operator.

discovery

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

cm.tuofu.a20140927081705

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 172.217.16.234:443 tcp
GB 172.217.16.234:443 tcp
GB 216.58.204.78:443 tcp
GB 216.58.204.78:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.180.8:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 client.adfeiwo.com udp
HK 154.86.204.72:9110 client.adfeiwo.com tcp
HK 154.86.204.72:9110 client.adfeiwo.com tcp
GB 142.250.178.4:443 tcp
GB 142.250.178.4:443 tcp

Files

/data/user/0/cm.tuofu.a20140927081705/cache/feiwo_dir/storage/emulated/0/feiwomob/global_cache/1807629056

MD5 676aa9573d3c381e283dcec0d3f49ce0
SHA1 55466c9c0525c3d80081ce5dabcf6e7e2f9fd776
SHA256 d862dc9d32cfefca15ba0ce33d49944815e8069fdb27820e5e4fb1bfd62f8318
SHA512 14032bd8c961d54e4aaf994edd4a081ce713bd82c244a289cd5a0cdf217f1226c42c3f3a53ed23a18b333e6ec9228e80a2b1aa8a7f4ed30a34df2b9149e5af0d

/data/user/0/cm.tuofu.a20140927081705/cache/feiwo_dir/storage/emulated/0/feiwomob/cache_2/-2054404330

MD5 6b6459d52f57e09db2e58cc97c57f8d7
SHA1 cafdb7ebf691076ad5d4ef4d38eab16c66ad1238
SHA256 da5b5353778777054c46f194d8f8a0018e0164112657ce2a417e92521b044ef9
SHA512 96cae4b0cfefa6e827aad7f8045736e7f5c3133f0c7d60a520bcc91ad8e31e1cf597b908c99b96540031892918b9a8cb44249b28781fa9d49fa64d2bf71585d6

/data/user/0/cm.tuofu.a20140927081705/cache/feiwo_dir/storage/emulated/0/feiwomob/global_cache/1807629056

MD5 b25308a7f2e253083b30a2bdbd8e1549
SHA1 6098ffb31af72eac909371ecab2703e6abee2d39
SHA256 575d091e1119d49f30fd750ddcf98ac3f9402ab8b8fd466a4e6f26a9bab5f1af
SHA512 8cb99b151d09901adef0212d08942d0811d4159aa5ec6cf5ba97d03df89bee6393eb3132cfebcb0d1ee72c9c1abaabacdaeabf231a62de5f8c4053a25f178a50

/data/user/0/cm.tuofu.a20140927081705/cache/feiwo_dir/storage/emulated/0/feiwomob/cache_3/-2054404330

MD5 7570dad48a063a539a65b55460ba7be5
SHA1 dce6c30df13d6b2b403fb7c2ec47bffecf04f0e1
SHA256 d15489635efbfde00f62f93c54795292d189e702ff75896e74a9476459584fd3
SHA512 0ff08876c9e5cfae170284e1295a302d7e5c2b7370ef13242bbc85e655445f37cada490748676e223d32d7bfab6efec106508bc1445dbd8bca7567d7ff102dbb

/data/data/cm.tuofu.a20140927081705/databases/db.db

MD5 5751e0c6188af3680d79c18686c1a7e1
SHA1 0ddd57511eaece612470f2b3d546c4cfbd3f0f76
SHA256 da47ffccbc24e87f2b662ce41cf87e1147af87f570e7078a19d1e40c71b03229
SHA512 93878b3a30104582b462ef79a9dbe5d70306dc1451417b295d8b13bce28af7de52713f476d78a10ab9edbafbf96eac25a952bb8bc09087c1ff0c59b596e9a6f2

/data/user/0/cm.tuofu.a20140927081705/databases/db.db-journal

MD5 75dfca6e947fdeb6dbf53cbfb8da1733
SHA1 ad360965941c9d94940af194a79e5968f9f23943
SHA256 e00d6048268929d93016d7cff5a63c8f4fcb0d0a695a2177aeaf38ff206a1a81
SHA512 496622a5b70fca7bdbfd73e3a9825bd4e1c3fee559b62f692b613172786c539430a467d1f120a6ffab2a7a0d2c2218cce3e096980c5502045f5ad22b989b3a77

/data/user/0/cm.tuofu.a20140927081705/databases/db.db

MD5 b477871e0b1237f3319b0c8280245bcc
SHA1 004380fd066f52d5902673e5c2fcaaf8d977596b
SHA256 75ecff67d0711df96dcd9e39a170e6777e7fb1c1bfc79cfb12f505e0efbd5c05
SHA512 000b29c5ce09d0296fdf2d9d4fea434a12d6279ddda1d19b01ac69b87edb0bd82fbdb7c282572a7a4071c2ca4b1dc6d6896cd1f5ad97d2384e428c842038e643

/data/user/0/cm.tuofu.a20140927081705/databases/db.db-journal

MD5 e1eb5ba4340e4d69e6fd03fd7582aeaa
SHA1 dbb04bc50fc96a7ee6feb4c4eba899b561ac7e3c
SHA256 6b7b2b86e3544d76120c53b062401f61b752dda22add77bce9aaa96e468ed10c
SHA512 a6edae9d48de9135ff00a3ac937ab484e211b4131f978701f660bc990c3c1a3244c6a5b80694963dd42cfd165b008e3c3203e088f76f82eab36e76b79f4ab339

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 08:53

Reported

2024-06-14 08:56

Platform

android-x86-arm-20240611.1-en

Max time kernel

8s

Max time network

130s

Command Line

cm.tuofu.a20140927081705

Signatures

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Requests cell location

collection discovery evasion
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getCellLocation N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

cm.tuofu.a20140927081705

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 client.adfeiwo.com udp
HK 154.86.204.72:9110 client.adfeiwo.com tcp
HK 154.86.204.72:9110 client.adfeiwo.com tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp

Files

/data/data/cm.tuofu.a20140927081705/cache/feiwo_dir/storage/emulated/0/feiwomob/global_cache/1807629056

MD5 499eeaeaa99ce93e8706251ccb0e0dc5
SHA1 51c34eb499f6b53c550a4b32c88c81ea9c2d34da
SHA256 ce2756ce59b9a1d99f5f161f273cfe7e98155981d6dc17acb8e7a0ac6bf106dd
SHA512 5e4d74a18df0b28b241b92eaef5f3b98f98b5b262d83c7fdd955b8d96f3874ab7d55d8bd9474e7e8c683b5e946d2053c4ce7556e44c0fd5b52b2eaa93339a917

/data/data/cm.tuofu.a20140927081705/cache/feiwo_dir/storage/emulated/0/feiwomob/cache_2/-2054404330

MD5 6b6459d52f57e09db2e58cc97c57f8d7
SHA1 cafdb7ebf691076ad5d4ef4d38eab16c66ad1238
SHA256 da5b5353778777054c46f194d8f8a0018e0164112657ce2a417e92521b044ef9
SHA512 96cae4b0cfefa6e827aad7f8045736e7f5c3133f0c7d60a520bcc91ad8e31e1cf597b908c99b96540031892918b9a8cb44249b28781fa9d49fa64d2bf71585d6

/data/data/cm.tuofu.a20140927081705/cache/feiwo_dir/storage/emulated/0/feiwomob/global_cache/1807629056

MD5 6b2882cf09321ac5feca7e513b63f4a0
SHA1 35bb671bd4a7fe2771c6da92d6163280852f9fae
SHA256 351960847f2a4eb469055f74120300e9a429168b28e03ee4f3a81e47e782d47c
SHA512 86e7f4dc5e213c9ee0d604c1569ee5ea7976c67e0bda08ac88e8ee6d8d7d234a78e4076a3f7e06c48c6d7305543677174abf852ceb9e8a689175592d3c7a7f5b

/data/data/cm.tuofu.a20140927081705/cache/feiwo_dir/storage/emulated/0/feiwomob/cache_3/-2054404330

MD5 7570dad48a063a539a65b55460ba7be5
SHA1 dce6c30df13d6b2b403fb7c2ec47bffecf04f0e1
SHA256 d15489635efbfde00f62f93c54795292d189e702ff75896e74a9476459584fd3
SHA512 0ff08876c9e5cfae170284e1295a302d7e5c2b7370ef13242bbc85e655445f37cada490748676e223d32d7bfab6efec106508bc1445dbd8bca7567d7ff102dbb

/data/data/cm.tuofu.a20140927081705/databases/db.db

MD5 5751e0c6188af3680d79c18686c1a7e1
SHA1 0ddd57511eaece612470f2b3d546c4cfbd3f0f76
SHA256 da47ffccbc24e87f2b662ce41cf87e1147af87f570e7078a19d1e40c71b03229
SHA512 93878b3a30104582b462ef79a9dbe5d70306dc1451417b295d8b13bce28af7de52713f476d78a10ab9edbafbf96eac25a952bb8bc09087c1ff0c59b596e9a6f2

/data/data/cm.tuofu.a20140927081705/databases/db.db-journal

MD5 63b946280b11bacea6e270f17cd7b560
SHA1 0a98de5f5eb18df582bcb644828a238c87e4d613
SHA256 c0ede9202c41e697cf92f5a69229014690be916baf2fac7f48d98cc8319f948d
SHA512 3ed0effc367fca640966602745295dcd9e4247e078938eecbfbf3e00c39c91f553ca2116a93d0ae91b75c6dd9a5a9cb0f988e2877244a80ec21ed92f5c603e52

/data/data/cm.tuofu.a20140927081705/databases/db.db

MD5 c62d358199c4a7de197699e112f95093
SHA1 c5b690da0c826beeaf85f313a7e9513343529bb7
SHA256 c9da7d17f9bb81071d3330c23bf4b194617154e21a0fa0de72b3777e0ec3f9e1
SHA512 670c516be76b23329d96580eed1620397798d9642a500399919d59ef675e41f51ef58a69642c537dbe6e344d0031887290b6af250197d42ed52a179654bf0556

/data/data/cm.tuofu.a20140927081705/databases/db.db-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/cm.tuofu.a20140927081705/databases/db.db-wal

MD5 f611a42f31703f474d1ff559eb6ac68f
SHA1 5b2ab9c6c1faa074bfeba995103c855568a12efd
SHA256 71217dee562c4daa159e6dc2deca41534d8b5ef4ac151db55f3e4b4682139647
SHA512 e3fccaf4fb88bc06a0c401be6592589bc8f8a9e1e56efccdb3f851ac60fcd3d53bfa107a671c7dbfaffedfb208b20125776139ad26b7e658db313f4d096a4cb4

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-14 08:53

Reported

2024-06-14 08:56

Platform

android-x64-20240611.1-en

Max time kernel

9s

Max time network

186s

Command Line

cm.tuofu.a20140927081705

Signatures

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Requests cell location

collection discovery evasion
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getCellLocation N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

cm.tuofu.a20140927081705

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.187.200:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 client.adfeiwo.com udp
HK 154.86.204.72:9110 client.adfeiwo.com tcp
HK 154.86.204.72:9110 client.adfeiwo.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.204.78:443 android.apis.google.com tcp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 tcp
GB 216.58.204.78:443 android.apis.google.com tcp
US 1.1.1.1:53 www.google.com udp
GB 172.217.16.228:443 www.google.com tcp
GB 142.250.178.14:443 tcp
GB 142.250.187.226:443 tcp

Files

/data/data/cm.tuofu.a20140927081705/cache/feiwo_dir/storage/emulated/0/feiwomob/global_cache/1807629056

MD5 676aa9573d3c381e283dcec0d3f49ce0
SHA1 55466c9c0525c3d80081ce5dabcf6e7e2f9fd776
SHA256 d862dc9d32cfefca15ba0ce33d49944815e8069fdb27820e5e4fb1bfd62f8318
SHA512 14032bd8c961d54e4aaf994edd4a081ce713bd82c244a289cd5a0cdf217f1226c42c3f3a53ed23a18b333e6ec9228e80a2b1aa8a7f4ed30a34df2b9149e5af0d

/data/data/cm.tuofu.a20140927081705/cache/feiwo_dir/storage/emulated/0/feiwomob/cache_2/-2054404330

MD5 6b6459d52f57e09db2e58cc97c57f8d7
SHA1 cafdb7ebf691076ad5d4ef4d38eab16c66ad1238
SHA256 da5b5353778777054c46f194d8f8a0018e0164112657ce2a417e92521b044ef9
SHA512 96cae4b0cfefa6e827aad7f8045736e7f5c3133f0c7d60a520bcc91ad8e31e1cf597b908c99b96540031892918b9a8cb44249b28781fa9d49fa64d2bf71585d6

/data/data/cm.tuofu.a20140927081705/cache/feiwo_dir/storage/emulated/0/feiwomob/global_cache/1807629056

MD5 a45d9880d71cf4fdc91776414c0df9eb
SHA1 954c16911e94deecad7adad4b8bfdd4da947f2c4
SHA256 98b34c727b2dde53a283115fb8521eaef4450014feadcb2744f25ecd9cf6d86f
SHA512 36a51f0756353d97d1f049f7a526ac9c8d78caa31e739a6bf0ab6a2fd3784c66e5914645433274922994c4d06c1882c0f623d1c43b94f432c017cd4301cc140b

/data/data/cm.tuofu.a20140927081705/cache/feiwo_dir/storage/emulated/0/feiwomob/cache_3/-2054404330

MD5 7570dad48a063a539a65b55460ba7be5
SHA1 dce6c30df13d6b2b403fb7c2ec47bffecf04f0e1
SHA256 d15489635efbfde00f62f93c54795292d189e702ff75896e74a9476459584fd3
SHA512 0ff08876c9e5cfae170284e1295a302d7e5c2b7370ef13242bbc85e655445f37cada490748676e223d32d7bfab6efec106508bc1445dbd8bca7567d7ff102dbb

/data/data/cm.tuofu.a20140927081705/databases/db.db

MD5 5751e0c6188af3680d79c18686c1a7e1
SHA1 0ddd57511eaece612470f2b3d546c4cfbd3f0f76
SHA256 da47ffccbc24e87f2b662ce41cf87e1147af87f570e7078a19d1e40c71b03229
SHA512 93878b3a30104582b462ef79a9dbe5d70306dc1451417b295d8b13bce28af7de52713f476d78a10ab9edbafbf96eac25a952bb8bc09087c1ff0c59b596e9a6f2

/data/data/cm.tuofu.a20140927081705/cache/feiwo_dir/storage/emulated/0/feiwomob/global_cache/1807629056

MD5 46f2afc53c81ae4fed739f09fff7899b
SHA1 bf5127d5478bca9c7fe94786d6ee7c4b6ce63714
SHA256 bccfe0b6a8c48ffe54eed7cb9954e5ce273f70161a502b3bb925c892bbee6776
SHA512 830f8e3053cc142e4de3c33ba2be82a81aa360f5eff186d9f3f85375ad61a72c9174cc51aac7e4623b88e28cacb188eddf79e8ec028a9ac2a7b1633a95c54233

/data/data/cm.tuofu.a20140927081705/databases/db.db-journal

MD5 e4704f1470b594374ef29657bc444bfb
SHA1 af95102024183a37b9eb602b0e2c170a14c97ba1
SHA256 e27e3c83955ddb97eeb9c23bea4df37d37c9b63781ac68a554e86459dff6d7f1
SHA512 7d5ee07347cfbb24060428a585528320882c0f30a3362787cdbee00f3396b51076f083cc8a4b9ecbc6f4783886d3907378be9b3d458ace9905188926ff3221b2

/data/data/cm.tuofu.a20140927081705/databases/db.db

MD5 5eb48502a0a8d8a3c235388686bface9
SHA1 4eb8bce49f32dcb8b6b1c842158f846871ef40b1
SHA256 57e2ea30c4b49c0b6fbf7d7ea08e06aa882ab84ab31c600fe5e3b510fb09d5bd
SHA512 85ac8c4ed4ae81e2f9e0490fadb3868890e062481458b5bdb046996ea96aa8916d68ef729431e58780f85d08199933a86dca1f3fe21e4b67ad89d1e777c763b2

/data/data/cm.tuofu.a20140927081705/databases/db.db-journal

MD5 63a7716c1e53146ce6cb9f13c4b2bf44
SHA1 8dfa6912c773e33a7ce91e1a5fdca5881ee58e05
SHA256 6e211fdffe51ddf147ee53ac24de4671a5e074a572a86c08fd38b6e13a8e21d6
SHA512 2864ee8f4664e77ac62b54c0053ef805aa27ba27a74e926594b9cac1be29f2dc0ec3365e5a68960e69904102f93f9a224987be66f49ead471872139ae2dbee0c