Malware Analysis Report

2024-10-19 13:25

Sample ID 240614-s87yba1bpr
Target aa848b5265da9c3c7d673759a5f0b408_JaffaCakes118
SHA256 c166a2b0c73e8fc8a840c3f7e4a3befa8e0749b614ca5c8af991a88c19bd0a4f
Tags
banker discovery persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

c166a2b0c73e8fc8a840c3f7e4a3befa8e0749b614ca5c8af991a88c19bd0a4f

Threat Level: Shows suspicious behavior

The file aa848b5265da9c3c7d673759a5f0b408_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

banker discovery persistence

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Acquires the wake lock

Queries information about active data network

Requests dangerous framework permissions

Registers a broadcast receiver at runtime (usually for listening for system events)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-14 15:48

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 15:48

Reported

2024-06-14 15:52

Platform

android-x86-arm-20240611.1-en

Max time kernel

168s

Max time network

180s

Command Line

com.exampl.he

Signatures

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Processes

com.exampl.he

com.exampl.he:pushservice

Network

Country Destination Domain Proto
GB 172.217.169.74:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 au.umeng.com udp
US 1.1.1.1:53 au.umeng.co udp
US 1.1.1.1:53 sdk.open.talk.igexin.com udp
CN 183.134.98.112:5224 sdk.open.talk.igexin.com tcp
GB 142.250.187.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp
CN 183.134.98.112:5224 sdk.open.talk.igexin.com tcp
GB 172.217.169.74:443 tcp
GB 172.217.169.74:443 tcp
CN 183.134.98.112:5224 sdk.open.talk.igexin.com tcp
CN 183.134.98.112:5224 sdk.open.talk.igexin.com tcp
US 1.1.1.1:53 sdk.open.talk.igexin.com udp
CN 183.134.98.102:5224 sdk.open.talk.igexin.com tcp

Files

/data/data/com.exampl.he/databases/pushsdk.db-journal

MD5 976bbade9f2899aaf770ba191ecb5135
SHA1 f52214393227a18eb34890efb806771d6021d466
SHA256 860110d2e98a849d4becab389e34c9427e91a2af1948c639ca24be88a78d4414
SHA512 cc089c28cc76ba33ca92217667837ee0dc1431bab2e0591efc89e439a2d8c183476b7fe29e68b93852699e1683fa48f590732c39f0b90cd7897bd0d9852364ba

/data/data/com.exampl.he/databases/pushsdk.db

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.exampl.he/databases/pushsdk.db-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.exampl.he/databases/pushsdk.db-wal

MD5 36de92552519813ed64214698d5442cb
SHA1 a9342532a0c8cf43084f400552dc5b24e5bae594
SHA256 fe6cc996d72c7b8b43685bb5f3a03f933cd39f08a35987b7a6b5317765b77837
SHA512 68436cf7bf88269b8ed6fc3b573a8b0325ca199ca5334b48b2c73e99146ed85fb283505802c9f1ac29db7cebdb47d63d8c7d85eaf4ec6d91a789e12c54dc23e1