Malware Analysis Report

2024-09-09 12:58

Sample ID 240614-mvmgka1dlj
Target a944d3882fe56fc3ac31532e591cb82c_JaffaCakes118
SHA256 c8dd8960485f03c3b7b77246425d79c1e2bd9d813237925cadd22a6f08a35d1c
Tags
banker collection discovery persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

c8dd8960485f03c3b7b77246425d79c1e2bd9d813237925cadd22a6f08a35d1c

Threat Level: Shows suspicious behavior

The file a944d3882fe56fc3ac31532e591cb82c_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

banker collection discovery persistence

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Queries account information for other applications stored on the device

Queries the unique device ID (IMEI, MEID, IMSI)

Reads information about phone network operator.

Requests dangerous framework permissions

Queries information about active data network

Registers a broadcast receiver at runtime (usually for listening for system events)

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-14 10:47

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 10:47

Reported

2024-06-14 10:50

Platform

android-x86-arm-20240611.1-en

Max time kernel

7s

Max time network

159s

Command Line

com.huawei.dsm.filemanager

Signatures

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries account information for other applications stored on the device

collection
Description Indicator Process Target
Framework service call android.accounts.IAccountManager.getAccountsAsUser N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Processes

com.huawei.dsm.filemanager

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
CN 119.145.9.205:38180 tcp
CN 119.145.9.205:18082 tcp
GB 216.58.212.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.179.238:443 android.apis.google.com tcp

Files

/storage/emulated/0/FileDSM/FileManagerApkList.xml

MD5 067de7f9a0bb5ccb131519d8d2ab7b5f
SHA1 704b925ec210d918269fa8ec5b3a3bc9f70af16e
SHA256 0591bf23a77fad0c5a35ad4bbc39bf227f51c5285b28213ed6e83e5ba4ffdfe7
SHA512 e0273aacf1a5af9044fdb340c70a93a0fd2bf3a6b07afd4fb6f7bd0b4df99494fe85746e0528af90733a4d058b4855153ce21c7cdcb6b380025730a2a28f6ab0

/storage/emulated/0/AicoFileManager/source/monitor.xml

MD5 e56d6e4070542ab8a64ab66a3a788245
SHA1 7e7e006c2440b6c5c72494478bb45c8ea142d6fb
SHA256 39a15a8be03633efa575bef772e4cbb31d5832f9a0ef1c8f9ccdaa578396ea8d
SHA512 530fd074a173b730a2bdc220c8892fc39daabd78c7dadef05178c25b106a94fcd4863df5a75fb288020b195d8931fa5b508b89788975079563a6ed4224570a52

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-14 10:47

Reported

2024-06-14 10:50

Platform

android-x64-20240611.1-en

Max time kernel

7s

Max time network

149s

Command Line

com.huawei.dsm.filemanager

Signatures

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries account information for other applications stored on the device

collection
Description Indicator Process Target
Framework service call android.accounts.IAccountManager.getAccountsAsUser N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Processes

com.huawei.dsm.filemanager

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
CN 119.145.9.205:38180 tcp
CN 119.145.9.205:18082 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.200.8:443 ssl.google-analytics.com tcp
GB 172.217.16.234:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.179.238:443 android.apis.google.com tcp
GB 216.58.204.78:443 tcp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 tcp
GB 142.250.178.14:443 tcp
GB 142.250.187.226:443 tcp

Files

/storage/emulated/0/AicoFileManager/source/monitor.xml

MD5 d0cf9497c4542297f84448b15215f751
SHA1 48ee8833d20afe6a741e85c640f9700329aca660
SHA256 7576aeebd15fe7c35cf4c75bc73f93121a8e6214f4e0de3762514545fdede852
SHA512 7611fdd872a44e24d227d19fa797440c56918fda0016f0270e4eb748daef00e3cacf9472968b67810d2736ecf23de4d152eb6fe6217a59cf63bb62a21738f2a5

/storage/emulated/0/FileDSM/FileManagerApkList.xml

MD5 47d654f2b9111186a202b62c68ee5adc
SHA1 34ffb5bad200d7df9dc30912cf0ef59aeb9f9ef3
SHA256 adce29822878b4142ac00f0af740a619020cd9dee12d9dd003a3806d19854f0b
SHA512 c6076987eaa3326647dd17a7329e4a99bc02728bae1a3e561295d1b38d5ee8e5146b3d0d90d2ddf545d36a7ac1da502befb9f5d4d6b4e6294ab94a430c05786d

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-14 10:47

Reported

2024-06-14 10:50

Platform

android-x64-arm64-20240611.1-en

Max time kernel

6s

Max time network

133s

Command Line

com.huawei.dsm.filemanager

Signatures

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries account information for other applications stored on the device

collection
Description Indicator Process Target
Framework service call android.accounts.IAccountManager.getAccountsAsUser N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Reads information about phone network operator.

discovery

Processes

com.huawei.dsm.filemanager

Network

Country Destination Domain Proto
GB 142.250.187.206:443 tcp
GB 142.250.187.206:443 tcp
N/A 224.0.0.251:5353 udp
GB 216.58.212.234:443 tcp
GB 216.58.212.234:443 tcp
CN 119.145.9.205:38180 tcp
CN 119.145.9.205:18082 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.200.40:443 ssl.google-analytics.com tcp
GB 216.58.212.196:443 tcp
GB 216.58.212.196:443 tcp

Files

/storage/emulated/0/AicoFileManager/source/monitor.xml

MD5 39fe498dd9610345997ca750501d1a7c
SHA1 be1cc37948ade5570d048ca5c9ca093434a90c7b
SHA256 e160fe9577ee8b745218ec54894dce912ae20e80d2c11f59aad606c697720687
SHA512 59921feaa06d49100a8b1640f1fb7536d2817eb279d2c4e364357259058f29ba79ed09060d5ea2fb2005b2e1aa4fecb93752aa35c3553cea716d5bc138e3f74f

/storage/emulated/0/FileDSM/FileManagerApkList.xml

MD5 82eb51b096484433aad3ec72c1562457
SHA1 402eb7c8129a224129832cceca4c6658971e601c
SHA256 e06b4552d3c22bf5f02abcadf3a13883067128f9c3a8217061365f1d43c80aad
SHA512 7000f350a6309fa67f7d7eb0b18dcfd1591613c63d854cd2dbc11077ae65dbede21a989901f31ff6d288071bfce9a07a794dd9feb2f44ed132b4bfebbf198d93