Malware Analysis Report

2024-09-09 15:59

Sample ID 240614-rw6daavbpe
Target aa315bb727942017e4b480477551b769_JaffaCakes118
SHA256 7aeb912ec757a008c04a0a43d5df0cecb650047bc8ab179c5932df8f0d6921d1
Tags
discovery persistence banker collection credential_access impact
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

7aeb912ec757a008c04a0a43d5df0cecb650047bc8ab179c5932df8f0d6921d1

Threat Level: Shows suspicious behavior

The file aa315bb727942017e4b480477551b769_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery persistence banker collection credential_access impact

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Obtains sensitive information copied to the device clipboard

Requests dangerous framework permissions

Queries the mobile country code (MCC)

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks CPU information

Checks memory information

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-14 14:33

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 14:33

Reported

2024-06-14 14:36

Platform

android-x86-arm-20240611.1-en

Max time kernel

4s

Max time network

159s

Command Line

com.netmite.andme

Signatures

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.netmite.andme

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 216.58.201.110:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-14 14:33

Reported

2024-06-14 14:36

Platform

android-x64-20240611.1-en

Max time kernel

5s

Max time network

131s

Command Line

com.netmite.andme

Signatures

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.netmite.andme

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.178.8:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp
GB 172.217.169.46:443 tcp
GB 172.217.16.226:443 tcp
GB 142.250.178.14:443 tcp
GB 142.250.178.4:443 tcp
GB 142.250.178.4:443 tcp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-14 14:33

Reported

2024-06-14 14:36

Platform

android-x64-arm64-20240611.1-en

Max time kernel

5s

Max time network

132s

Command Line

com.netmite.andme

Signatures

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.netmite.andme

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.16.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.201.110:443 android.apis.google.com tcp
GB 142.250.178.8:443 ssl.google-analytics.com tcp
GB 216.58.201.100:443 tcp
GB 216.58.201.100:443 tcp

Files

N/A