Malware Analysis Report

2024-09-09 16:02

Sample ID 240614-p91c3s1hmc
Target a9d034cb4cc4d0111a97260da12f99fb_JaffaCakes118
SHA256 fa498cfe5afae738e736455a910de45933785858125d92fa9530e8a8f6083f33
Tags
collection credential_access discovery evasion impact persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

fa498cfe5afae738e736455a910de45933785858125d92fa9530e8a8f6083f33

Threat Level: Likely malicious

The file a9d034cb4cc4d0111a97260da12f99fb_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

collection credential_access discovery evasion impact persistence

Checks if the Android device is rooted.

Obtains sensitive information copied to the device clipboard

Queries information about running processes on the device

Queries information about the current nearby Wi-Fi networks

Queries information about the current Wi-Fi connection

Queries the mobile country code (MCC)

Queries information about active data network

Listens for changes in the sensor environment (might be used to detect emulation)

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks memory information

Checks CPU information

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-14 13:02

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-14 13:02

Reported

2024-06-14 13:05

Platform

android-x64-20240611.1-en

Max time kernel

64s

Max time network

147s

Command Line

com.yxxinglin.xzid538136

Signatures

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /system/app/Superuser.apk N/A N/A
N/A /system/bin/su N/A N/A
N/A /system/xbin/su N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about the current nearby Wi-Fi networks

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getScanResults N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Listens for changes in the sensor environment (might be used to detect emulation)

evasion
Description Indicator Process Target
Framework API call android.hardware.SensorManager.registerListener N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.yxxinglin.xzid538136

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.16.232:443 ssl.google-analytics.com tcp
GB 172.217.169.42:443 tcp
US 1.1.1.1:53 plbslog.umeng.com udp
CN 36.156.202.68:443 plbslog.umeng.com tcp
US 1.1.1.1:53 fuli.bianxianmao.com udp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.204.78:443 android.apis.google.com tcp
GB 172.217.169.42:443 tcp
GB 142.250.187.206:443 tcp
GB 142.250.187.194:443 tcp
GB 172.217.169.42:443 tcp
US 1.1.1.1:53 plbslog.umeng.com udp
CN 36.156.202.73:443 plbslog.umeng.com tcp
GB 172.217.16.228:443 tcp
GB 172.217.16.228:443 tcp
GB 142.250.179.238:443 tcp

Files

/data/data/com.yxxinglin.xzid538136/files/umeng_it.cache

MD5 3d42ccc6f3e8623285a65575ea838fed
SHA1 c243f3a939cf6f403b36898eba6d49026e384c3f
SHA256 f0e7101e62fc9d471b720e15c93f8aec8f29d9436a737b9c9be3ef1a358f2e06
SHA512 2cb283d33215769fcdfd98ca44a5cd47fc1734a2f9e2dab443524933417def9b32a4992d776ec2cc05312853ddac43b33b8033300ae43270492ddd40c0dae943

/data/data/com.yxxinglin.xzid538136/files/stateless/dW1weF9pbnRlcm5hbA== /dW1weF9pbnRlcm5hbF8xNzE4MzcwMTU5MzIx

MD5 549b53ba850a0eee1da4610bf3fb7af2
SHA1 33842337fa73bc294dca20a77a16a7117283a121
SHA256 1e375f52fce2a43f144a872df2400b6ce43ae57ce90e2d81f94fe44c2c1f3c67
SHA512 70b3df8be42a4e04758749fc4ced1628bdd78672f7f33721d38d28bd5d06d755fbef15ba5d8dd383534682ae7837e2df3c4d386ccdbf9df209a8bb072ac2b0a5

/data/data/com.yxxinglin.xzid538136/files/stateless/dW1weF9pbnRlcm5hbA== /dW1weF9pbnRlcm5hbF8xNzE4MzcwMTg5NDg1

MD5 21bda50c7149e1600399fbb5db6ef7c9
SHA1 835b0134ec6209fca38d55097c5e2d8ab928f5e9
SHA256 fa7122adb4a3c70b0e882b4e9a31ebc5151c9560d5e4a6c2c00999958243e772
SHA512 6e48f6eb78c14ade8df932281ddc66e04ed8a8352c1cfd4cc0f0118fdf44ffbda2d0b5acf0788973661264475a6bd030f702c6f223f010884224ed8821b17805

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-14 13:02

Reported

2024-06-14 13:05

Platform

android-x64-arm64-20240611.1-en

Max time kernel

64s

Max time network

132s

Command Line

com.yxxinglin.xzid538136

Signatures

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /system/app/Superuser.apk N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Listens for changes in the sensor environment (might be used to detect emulation)

evasion
Description Indicator Process Target
Framework API call android.hardware.SensorManager.registerListener N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.yxxinglin.xzid538136

Network

Country Destination Domain Proto
GB 172.217.16.238:443 tcp
GB 172.217.16.238:443 tcp
N/A 224.0.0.251:5353 udp
GB 216.58.201.106:443 tcp
GB 216.58.201.106:443 tcp
US 1.1.1.1:53 plbslog.umeng.com udp
CN 36.156.202.68:443 plbslog.umeng.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.180.8:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 fuli.bianxianmao.com udp
US 1.1.1.1:53 plbslog.umeng.com udp
CN 36.156.202.75:443 plbslog.umeng.com tcp
GB 172.217.169.68:443 tcp
GB 172.217.169.68:443 tcp

Files

/data/user/0/com.yxxinglin.xzid538136/files/umeng_it.cache

MD5 e846d02b1316497268d4aa8b6542dcc0
SHA1 75fef41204420eae03064de27987afef9ea4f0d9
SHA256 5a4e0b5cf60b10601b095878c2ae1684bfcc7f334691d7e306311566254546e6
SHA512 56106acb821d6abab40d01cfba532bb094b6b7b3016706d12b2a3d65821dc9d1ffa95d6a6899769af39fe8cb652ba15937279dc27bb83033bde3fcf4eb35713c

/data/user/0/com.yxxinglin.xzid538136/files/stateless/dW1weF9pbnRlcm5hbA== /dW1weF9pbnRlcm5hbF8xNzE4MzcwMTU5NTI5

MD5 96eb33742d631bdbd22556162508b719
SHA1 b88bdfa8a8d88fd4598fc62934ea04e84503d23a
SHA256 74e3a0c1664b9379c4b3fe393bf569bb0aa87abcc7a00963f9dcebf2cb7faf62
SHA512 477d553afb3eb61983e7c9e4405ee8049e08bd00330eeb536762736443591fc49db30651259157caa7fb1bfad23ed85723f6f728f1f83e9fc0464f657ffb4397

/data/user/0/com.yxxinglin.xzid538136/files/stateless/dW1weF9pbnRlcm5hbA== /dW1weF9pbnRlcm5hbF8xNzE4MzcwMTg5Njgx

MD5 604db0670e9bf818faa123465f5117f6
SHA1 3a5dc6ec7c7952e8b7b15ab0963700e8e359fbd9
SHA256 5f98be70d597b1a650e435886d98866450c7d9d17cea95532e9c9336dff2557d
SHA512 11518f019ef331b9a742fd52a8ecc5c978a1daae23b1db0d6e39259509aa418557062e2fd28aba4c449d9728aad4094fc9946a6b944e64faff8f5ff1a4cea8c9

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 13:02

Reported

2024-06-14 13:05

Platform

android-x86-arm-20240611.1-en

Max time kernel

64s

Max time network

130s

Command Line

com.yxxinglin.xzid538136

Signatures

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /system/app/Superuser.apk N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Listens for changes in the sensor environment (might be used to detect emulation)

evasion
Description Indicator Process Target
Framework API call android.hardware.SensorManager.registerListener N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.yxxinglin.xzid538136

Network

Country Destination Domain Proto
GB 172.217.169.74:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 plbslog.umeng.com udp
CN 36.156.202.73:443 plbslog.umeng.com tcp
US 1.1.1.1:53 fuli.bianxianmao.com udp
GB 142.250.187.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp
GB 172.217.169.74:443 tcp
GB 172.217.169.74:443 tcp
US 1.1.1.1:53 plbslog.umeng.com udp
CN 36.156.202.68:443 plbslog.umeng.com tcp

Files

/data/data/com.yxxinglin.xzid538136/files/umeng_it.cache

MD5 8ceee2929466f4b3b62da8191b571d36
SHA1 f152ad1b2da2ed2524c83687fea75b0c5c17c11b
SHA256 ea8913e9642b0988d5c324cb7ed05fc220710155776babe163210c1600d01070
SHA512 698fa043bdc813c26b407ce227fce8f32c4eb122ee79cbeeed69001636470edb52ca9314165e600d1ea8c9fdc1ea44c5bc3f7086ee0aa14d0a51ff240db2ff51

/data/data/com.yxxinglin.xzid538136/files/stateless/dW1weF9pbnRlcm5hbA== /dW1weF9pbnRlcm5hbF8xNzE4MzcwMTU4NTAy

MD5 e10feccb42b6fef5f1b3d7e036d4cd68
SHA1 bfacabab4efed661e896ecaa58b1a02ff7b8e268
SHA256 0d31ba858c79296de6d4509145cff63af4b60bf0f6aca53379410816a1ddff87
SHA512 b0f6b8737d507a7bdde87ecfa6aee55e9320475d78df9b1e8f00b6ae2c2dd6808157cb44a4da7dee69ecfdc22b519cf9cb2e84da8f53919bd9322441dae59aa5

/data/data/com.yxxinglin.xzid538136/files/stateless/dW1weF9pbnRlcm5hbA== /dW1weF9pbnRlcm5hbF8xNzE4MzcwMTg4ODA1

MD5 ec1031ebbb2632e8ad23a534987d71f5
SHA1 32a2dbaf48c8572fc3fc7aa930d694f7c37b9003
SHA256 455e6d16101f4eafd28b9c15a8a03d1dd2e1c7ca08afc75b828928ac2bad714a
SHA512 511f7314c16e3d89d91738059aee9e84e3081dcacf18daea1e0dddffe66a30ba89f8af6866a37c18b2792efb4050373288bfbdded9b7905fe6fbc6db4e2b075d