Malware Analysis Report

2024-10-19 13:26

Sample ID 240614-rvlx9avbjh
Target aa2f097cc4c6c50db3b1f4920a0d7058_JaffaCakes118
SHA256 812db8231164be8cda509398440e5f56764645e54fa258530abbad520af5d424
Tags
banker discovery persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

812db8231164be8cda509398440e5f56764645e54fa258530abbad520af5d424

Threat Level: Shows suspicious behavior

The file aa2f097cc4c6c50db3b1f4920a0d7058_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

banker discovery persistence

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Queries information about running processes on the device

Requests dangerous framework permissions

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Queries information about active data network

Reads information about phone network operator.

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks CPU information

Checks memory information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-14 14:30

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 14:30

Reported

2024-06-14 14:34

Platform

android-x86-arm-20240611.1-en

Max time kernel

179s

Max time network

131s

Command Line

com.koogame.lib.xiyou

Signatures

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Description Indicator Process Target
N/A alog.umeng.com N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.koogame.lib.xiyou

Network

Country Destination Domain Proto
GB 172.217.169.74:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.176:80 alog.umeng.com tcp
US 1.1.1.1:53 xpay.koogame.cn udp
CN 47.112.112.18:18044 xpay.koogame.cn tcp
CN 223.109.148.141:80 alog.umeng.com tcp
GB 142.250.187.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
US 1.1.1.1:53 android.tenddata.com udp
CN 223.109.148.179:80 alog.umeng.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
CN 223.109.148.177:80 alog.umeng.com tcp
US 1.1.1.1:53 alog.umeng.co udp

Files

/data/data/com.koogame.lib.xiyou/files/tcagent.db-journal

MD5 22de8d5c7a60a2f2e879cf5f4da31079
SHA1 5ddf34d22d798bc85fcfb5e3274dc727fca7e245
SHA256 8423c6230eb5d49144d4c1f0cb27b59fdde03948099ec336930881be18170aa5
SHA512 48f3ed0104c5f7caa1b08c981118ec6eb18cac92b7ebb17c76c2f2a3e344eda34d905daffb0efc553a8e29fb4b57494eec39f07928f783b771b636a01e8aae2d

/data/data/com.koogame.lib.xiyou/files/tcagent.db

MD5 2914b099371f6bad7952b1c6c01872c1
SHA1 99c0049987ae49edc65c06a909314780b9fccae4
SHA256 a1685c7009a5778d293a84ab4da6d0d5a8ea161b52d4e4e4160988b3b0f62315
SHA512 bec3b996b82fceeecd43333e79d5eb6f3b1afd0e5e71dc17663b5b2bec22ed3fcbe8b080adcb0a51a82eb04b2d8bda99387404a9f04b7cfd941fe10222561a20

/data/data/com.koogame.lib.xiyou/files/tcagent.db-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.koogame.lib.xiyou/files/tcagent.db-wal

MD5 c1b8c988203545a070fa9ea79fb5adb6
SHA1 83bc4bc6bcd3d88967dab5b4a7075fc868c0d7b4
SHA256 9b3c556479c3fe763c5f0747e1652fe2952e1995bc1f50e0eb6902c504279157
SHA512 833127ba18b9de1c5561e8621bb6abc6d151e408397241664f985e3e9766d6a5cf63d9c6d951d1763c9f0d96a8235b5b608c9002ebcfc23a92fa1bc96188ccbb

/data/data/com.koogame.lib.xiyou/files/game1.sav

MD5 f4f96968f5e0d17d25f6c3e21358ee82
SHA1 26136b246ce9c9ba8178c158f96defdd46d1462d
SHA256 108890d7f6d92585fe9e1c53198a284769d6182811128957a0961f2fa1f85f45
SHA512 5babd2e35b99c27bd5d196907dd6e834c5082663b7f1cc64774be0a558984a8b2ffbdd3b7ea1f2fbdd7ae07ef7281df2ccae0e038b0894c0a9a66f032b011dc5

/data/data/com.koogame.lib.xiyou/files/mobclick_agent_cached_com.koogame.lib.xiyou

MD5 e3b380a04eb549f8d1943ca5a0204c00
SHA1 05011dff537fc293d73467b8937679f5312aae1c
SHA256 df73406a8d72f9a2d992f6476394fe12d07cc61e85224e3ed886d037c6e94e1d
SHA512 fdc633b0ad0380eadad31974d56b5f43824de4f8637d486551428f9cb88970dee5476982ffc3be440578297ce5a0a3be2bb62a3aef761371c5677fc533e3bdb5

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-14 14:30

Reported

2024-06-14 14:34

Platform

android-x86-arm-20240611.1-en

Max time kernel

2s

Max time network

157s

Command Line

com.alipay.android.app

Signatures

N/A

Processes

com.alipay.android.app

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.179.238:443 android.apis.google.com tcp

Files

N/A