Malware Analysis Report

2024-09-09 13:22

Sample ID 240614-mdltpswerh
Target a92b93f69e0fecd84aca61229abb32b4_JaffaCakes118
SHA256 bebea5c3a250c005becf432455cabed3ed54e4c119bd08c958072a2ea4d0ba31
Tags
discovery evasion persistence stealth trojan collection credential_access impact
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

bebea5c3a250c005becf432455cabed3ed54e4c119bd08c958072a2ea4d0ba31

Threat Level: Likely malicious

The file a92b93f69e0fecd84aca61229abb32b4_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

discovery evasion persistence stealth trojan collection credential_access impact

Removes its main activity from the application launcher

Obtains sensitive information copied to the device clipboard

Queries the mobile country code (MCC)

Declares services with permission to bind to the system

Requests dangerous framework permissions

Acquires the wake lock

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks memory information

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-14 10:21

Signatures

Declares services with permission to bind to the system

Description Indicator Process Target
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write and read the user's call log data. android.permission.WRITE_CALL_LOG N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to see the number being dialed during an outgoing call with the option to redirect the call to a different number or abort the call altogether. android.permission.PROCESS_OUTGOING_CALLS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 10:20

Reported

2024-06-14 10:24

Platform

android-x86-arm-20240611.1-en

Max time kernel

19s

Max time network

183s

Command Line

com.eset.ems2.gp

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.eset.ems2.gp

su

su

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
N/A 192.168.2.102:1654 tcp
GB 216.58.212.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
N/A 192.168.2.102:1654 tcp
N/A 192.168.2.102:1654 tcp

Files

/data/data/com.eset.ems2.gp/files/IM.txt

MD5 70a9021a1b96084dfefd466350145c99
SHA1 37a62112d97bb2fc33161b24a27e86175055b1b7
SHA256 59d1265a66fc96d76cf99c03240b83859b853333ea34b222456ae9b15fd0dbae
SHA512 093568522d859ac71677b7fd164935c687e09163fe141f5ef1d1643672caafc6884331e0967d2ca7ed8b5ff21b2ee47358a39249d764ae6dbed5ebf4410fb2fc

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-14 10:20

Reported

2024-06-14 10:24

Platform

android-x64-20240611.1-en

Max time kernel

49s

Max time network

154s

Command Line

com.eset.ems2.gp

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.eset.ems2.gp

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.169.40:443 ssl.google-analytics.com tcp
GB 172.217.16.234:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp
GB 172.217.16.226:443 tcp
GB 142.250.178.14:443 tcp
GB 142.250.178.4:443 tcp
GB 142.250.178.4:443 tcp
GB 172.217.169.46:443 tcp

Files

/data/data/com.eset.ems2.gp/files/IM.txt

MD5 0c0390db15bb27327e483e7cf4c5fb28
SHA1 116da3c298369ecd02ec2f6f3cf6657f53c0e12e
SHA256 3ad4b9f10a42a96dd20aa0dfda9fd0690fb798fe4d87d8be3a45913abd4c7968
SHA512 f76265ac90c343b0ee48da5a2774ce7ee6cf980588b7eb019278e570228eeaa238f20ed4d6232aa0e67f95d7f059c105670f3c17896c00e7e76d800e151e3ed3

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-14 10:20

Reported

2024-06-14 10:24

Platform

android-x64-arm64-20240611.1-en

Max time kernel

137s

Max time network

132s

Command Line

com.eset.ems2.gp

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.eset.ems2.gp

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 216.58.204.78:443 tcp
GB 216.58.204.78:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.180.14:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.187.232:443 ssl.google-analytics.com tcp
GB 142.250.178.4:443 tcp
GB 142.250.178.4:443 tcp

Files

/data/user/0/com.eset.ems2.gp/files/IM.txt

MD5 275b8a284b3229318f8e3e389c781a25
SHA1 8eb0e4352bbfb3dcdf0dec333a30eafc802525f3
SHA256 2ba6c7ee7f2ca0ca3d8096cba3a57c45382191f37c3e043da37efe87e4a05572
SHA512 f4a758539b88fcbaa9002f24881b14c66f17b3ad19d137b67a8583f88b779305df4989d8390722342fd1cc9eae95f3cbda5500477672c8885d8df7b42a835837