Malware Analysis Report

2024-09-09 16:04

Sample ID 240614-levmkavaph
Target a8f7048ba87a3017f7b3755177d71bc2_JaffaCakes118
SHA256 05180d9701404c805c942501315c82e602c5154ee99d06ed33612c503693ce40
Tags
banker discovery persistence collection credential_access impact
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

05180d9701404c805c942501315c82e602c5154ee99d06ed33612c503693ce40

Threat Level: Shows suspicious behavior

The file a8f7048ba87a3017f7b3755177d71bc2_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

banker discovery persistence collection credential_access impact

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Obtains sensitive information copied to the device clipboard

Queries information about active data network

Queries the mobile country code (MCC)

Requests dangerous framework permissions

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks memory information

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-14 09:27

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 09:27

Reported

2024-06-14 09:30

Platform

android-x86-arm-20240611.1-en

Max time kernel

19s

Max time network

140s

Command Line

com.droidhen.cowboy

Signatures

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.droidhen.cowboy

Network

Country Destination Domain Proto
GB 142.250.180.14:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 nmarket.nduoa.com udp
US 1.1.1.1:53 dhprompt.appspot.com udp
GB 216.58.201.116:80 dhprompt.appspot.com tcp
GB 142.250.187.206:80 www.google-analytics.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.14:443 android.apis.google.com tcp

Files

/data/data/com.droidhen.cowboy/databases/google_analytics.db-journal

MD5 1e73badd70acdd4c153ac1960255d423
SHA1 65fb82d8d419e7aa94d40d02329707c9300f6b2f
SHA256 e3e4e9dab8059a9afbb002cc793debbd5a9d325041d366859bfdc904da810a66
SHA512 034981967f6533d476f217f238dc1b8286489cfe783859e507b115690dbe3879c995c994f1e62cfc9e5595eee87a88b324f984223a914fe900bf9d84cbc12684

/data/data/com.droidhen.cowboy/databases/google_analytics.db

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.droidhen.cowboy/databases/google_analytics.db-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.droidhen.cowboy/databases/google_analytics.db-wal

MD5 fa78d35e1a02e045221f94eb7a9e1eab
SHA1 f85c4a2cc34646203b96defacff71c27e5d8fc65
SHA256 c42deb1d4ebedec817888afddf527d20d2d039147df955e10f40311c3a280871
SHA512 d9914929d5a357f2aa475c31b055ae09a64199622ee7b86c49658a0466debd06236cda458a388549ba5b9cfa59254f8747fdcd34a7da23382e36bf38f93a826c

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-14 09:27

Reported

2024-06-14 09:30

Platform

android-x64-20240611.1-en

Max time kernel

8s

Max time network

176s

Command Line

com.droidhen.cowboy

Signatures

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.droidhen.cowboy

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 nmarket.nduoa.com udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.201.104:443 ssl.google-analytics.com tcp
GB 142.250.178.14:443 tcp
GB 142.250.180.3:443 tcp
GB 216.58.204.78:443 tcp
BE 74.125.133.188:5228 tcp
GB 142.250.179.228:443 tcp
GB 172.217.16.238:80 www.google-analytics.com tcp
US 1.1.1.1:53 dhprompt.appspot.com udp
GB 142.250.187.244:80 dhprompt.appspot.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 142.250.187.202:443 semanticlocation-pa.googleapis.com tcp
US 1.1.1.1:53 g.tenor.com udp
GB 142.250.180.10:443 g.tenor.com tcp
US 1.1.1.1:53 www.google.com udp
GB 142.250.180.4:443 www.google.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
US 1.1.1.1:53 mdh-pa.googleapis.com udp
GB 142.250.187.202:443 mdh-pa.googleapis.com tcp
US 1.1.1.1:53 safebrowsing.googleapis.com udp
US 1.1.1.1:53 www.youtube.com udp
GB 142.250.200.46:443 www.youtube.com udp
GB 142.250.200.46:443 www.youtube.com tcp
US 1.1.1.1:53 growth-pa.googleapis.com udp
US 1.1.1.1:53 lh3-dz.googleusercontent.com udp
GB 216.58.212.193:443 lh3-dz.googleusercontent.com tcp
US 1.1.1.1:53 accounts.google.com udp
US 1.1.1.1:53 accounts.google.com udp
BE 74.125.133.84:443 accounts.google.com tcp
US 1.1.1.1:53 www.google.com udp
GB 142.250.180.4:443 www.google.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 172.217.169.42:443 semanticlocation-pa.googleapis.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
US 1.1.1.1:53 i.ytimg.com udp
GB 142.250.179.246:443 i.ytimg.com udp
GB 142.250.179.246:443 i.ytimg.com tcp
US 1.1.1.1:53 www.google.com udp
GB 142.250.180.4:443 www.google.com tcp

Files

/data/data/com.droidhen.cowboy/databases/google_analytics.db-journal

MD5 d1b4f83f55d00f2aa2966fe09992360b
SHA1 40b1ce55ed21bed7061f0afd265a797594c45d27
SHA256 c748269a192a5c00af19475a4166195881c2dbc8e62c0ed8ce3ccd0db2853cd1
SHA512 ca6ec0950fb8ba11d492af0d35e2f7de1a72b23bdc5e4a96fd97850df277d4d876da099104562320c7d06ead21c63a1bece465b69300b0867dcb865c0a9ca3ad

/data/data/com.droidhen.cowboy/databases/google_analytics.db

MD5 ea628e04765adaf4238a5dcdff4bbd51
SHA1 a801947619ea8c368efe9c006a324dc6339ac60b
SHA256 885e337c2156e4dbf2176a9677ade50418740532d222ccae5ad4aa371b54c6a4
SHA512 c0287b0e7b690a7231a37d1745c49f3d861b22aa65dd769ba6a8b5ab9da55443f749957781ee05a405019c39e1be45d37a971b821bffd62a1d5620bc39119abe

/data/data/com.droidhen.cowboy/databases/google_analytics.db-journal

MD5 1cd1b86995fad0528f41f3da965a520c
SHA1 d467d223cda5b07a92ec745a175e16b4719946b9
SHA256 7ad964f28c37ed7289a412abf2238ad371f92fec26d222959a738f1c8ac115a5
SHA512 58b5c36d96c68a75009d99318c352db5265fe0903e0f28573b855fcf36cc23171386e985183fb1c6d456c69a965481bceed00f5d201db0cd0bf18d07f6a9b5b6

/data/data/com.droidhen.cowboy/databases/google_analytics.db-journal

MD5 45047c473bfa4b72b8cc074768c245f8
SHA1 b1db266fabf0f7f734e15b065602d81363e62297
SHA256 40c84b2bcec5af7ca6c702923671edf7d2ed5c3db85e911bffb34a63ee9a4079
SHA512 b61e835721681bcdc1b41d82852144f41c45577447b170b41cfb8ecfaaea0df43a0b343b50d23f187f6dae6d6f7e7fce8894c487c321598248bb54169a6017c1

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-14 09:27

Reported

2024-06-14 09:30

Platform

android-x64-arm64-20240611.1-en

Max time kernel

179s

Max time network

132s

Command Line

com.droidhen.cowboy

Signatures

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.droidhen.cowboy

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 nmarket.nduoa.com udp
US 1.1.1.1:53 dhprompt.appspot.com udp
GB 142.250.179.244:80 dhprompt.appspot.com tcp
GB 172.217.16.238:80 www.google-analytics.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.180.8:443 ssl.google-analytics.com tcp
GB 216.58.201.100:443 tcp
GB 216.58.201.100:443 tcp

Files

/data/user/0/com.droidhen.cowboy/databases/google_analytics.db-journal

MD5 fd52f6c4a1519ed339d9e0defc88ee1e
SHA1 28952b6542a21eb910666ee998b2f217d157b05b
SHA256 149ef928afcc2362a12f11ed0c9a57fab41b18c7c39d3a9b915a30e4f6147818
SHA512 5aa93cb92ac35b46d81ebf5cd72684cc15d7390644230c19b8d9d15d55a71fdee0563b0ddd0dadab30f3dd55556f27f71262074e6cf710b11322c610db4ebd6b

/data/user/0/com.droidhen.cowboy/databases/google_analytics.db

MD5 6ee5aa7520c339e994240033795ac372
SHA1 0ef0db51cc2f944fc168019d803d9e514914f454
SHA256 3406309bd3887de91998d7c5cdebb67808ab07f4bd21baa4d1fcdbf212a59f0d
SHA512 4f97f87ee57209f3c7f2f50c54d62c6484425a9c36ca55a12d12a28e84356eda8abc95abb60eb80030f1b3e68c78776430195f666886f123f070fd9979dc7c48

/data/user/0/com.droidhen.cowboy/databases/google_analytics.db-journal

MD5 96511b93b20e19f17724a5a0de377b31
SHA1 2e9fbf04b06e7fc6d7c1f9cdde8445e24d7da95d
SHA256 5202fc85aa3b4ee2a6aac331b549e27ffe76e169b35ee255810ef7e63f801d53
SHA512 462a8992eec17655efaf3a68962ed300f819e97cd20e0006f1f060486c5cce0fd7e33f6280d44dc81cc7761b4d994d0596e1ef5626339939b53e92198052baa0

/data/user/0/com.droidhen.cowboy/databases/google_analytics.db-journal

MD5 51ba584e95ddc082ad9d31632e9c575b
SHA1 b6b1c711cec339d5a110ccd46263678f89ca5371
SHA256 a0c865e5a1dff1bbd04122b96c5fd0e0d5a349e7407ec301df54d2061eff71cd
SHA512 423a131244427932be29da34c126d48de118efc47941c5e567dc1ed826df1b314d3b19f11b355a9f52e1448bc465b8487ee2b580d6aa2a7d81b414c89d1743d2

/data/user/0/com.droidhen.cowboy/databases/google_analytics.db-journal

MD5 fb6f4c9b592d12a3bdb69b7a3d792a10
SHA1 93e254ce43c0596f16e79d5597739bed31101dfb
SHA256 ac1bf3072ae96f701161fed9a55760bdaeddbbfc0a7c1b91eb97b6f347827db3
SHA512 5fdb80c1afd537f7efbb0b3ca5f7943778119ee840b74705ccf4eecb548f351fdd88459809b07e9b6eec2c8f436d2e0b6546aaedfff4e7ed63751f4a413b9199

/data/user/0/com.droidhen.cowboy/databases/google_analytics.db-journal

MD5 88f127d7b66faee809003cfb5642914b
SHA1 673e432565b8094eba9c05d616ecfe570c4dbd27
SHA256 f1a0e2e871219ef611a5129badee4315a4b6abb62b28ba1fb982626d9b706946
SHA512 bc55387cf2357fd7d77ff00a40a34348dd3080e49e805f3fcc39d26e01487b4740f6faf2bd423d73994a800983909a43c62b7b2f838844d538d45b077ac98ed0

/data/user/0/com.droidhen.cowboy/databases/google_analytics.db-journal

MD5 ae79d3d74466e7fe9e1a8c59edc42a8a
SHA1 c2ee3dcefedce2f935edcc52a9364beb404bfa91
SHA256 d73e8566e7475da11e7ca0a05e758a67fdd924293f537fa5b769f6a2a6f64b1c
SHA512 6f626d25b1c4125a875672e0e97763d9ffd1650faff0e956256a8ab8d34cccd3ba0de826a5006c86cf3a659e7d4d479c278481fd2f9ca5b41059b9aacf24c797