Malware Analysis Report

2024-09-09 16:04

Sample ID 240614-z172nswdlf
Target ab7cbe5faec3d964479537a5967ad70c_JaffaCakes118
SHA256 e88995104eb72670f3435f982d2657cf93ffb3621d865dc66ac3882a4c9959b4
Tags
discovery evasion persistence collection credential_access impact
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

e88995104eb72670f3435f982d2657cf93ffb3621d865dc66ac3882a4c9959b4

Threat Level: Shows suspicious behavior

The file ab7cbe5faec3d964479537a5967ad70c_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery evasion persistence collection credential_access impact

Obtains sensitive information copied to the device clipboard

Loads dropped Dex/Jar

Queries the unique device ID (IMEI, MEID, IMSI)

Requests dangerous framework permissions

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Queries information about active data network

Queries information about the current Wi-Fi connection

Queries the mobile country code (MCC)

Reads information about phone network operator.

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks memory information

Checks CPU information

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-14 21:12

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 21:12

Reported

2024-06-14 21:15

Platform

android-x86-arm-20240611.1-en

Max time kernel

159s

Max time network

176s

Command Line

com.moon.hao2.mhnn3

Signatures

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.moon.hao2.mhnn3/files/__pasys_remote_banner.jar N/A N/A
N/A /data/user/0/com.moon.hao2.mhnn3/files/__pasys_remote_banner.jar N/A N/A

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Description Indicator Process Target
N/A alog.umeng.com N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.moon.hao2.mhnn3

/system/bin/dex2oat --debuggable --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --debuggable --generate-mini-debug-info --dex-file=/data/user/0/com.moon.hao2.mhnn3/files/__pasys_remote_banner.jar --output-vdex-fd=87 --oat-fd=88 --oat-location=/data/user/0/com.moon.hao2.mhnn3/files/oat/x86/__pasys_remote_banner.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 blog.sina.com.cn udp
CN 202.108.0.52:80 blog.sina.com.cn tcp
US 1.1.1.1:53 mobads.baidu.com udp
CN 182.61.200.101:80 mobads.baidu.com tcp
CN 182.61.200.101:80 mobads.baidu.com tcp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.179:80 alog.umeng.com tcp
CN 182.61.200.101:80 mobads.baidu.com tcp
GB 216.58.212.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
CN 223.109.148.177:80 alog.umeng.com tcp
CN 182.61.200.101:80 mobads.baidu.com tcp
CN 182.61.200.101:80 mobads.baidu.com tcp

Files

/data/data/com.moon.hao2.mhnn3/files/__pasys_remote_banner.tmp.jar

MD5 2ad9fb4b2d9b333883b7e38f61c2fd2f
SHA1 5b85041452d173ed0d81d25b9ca78608a998e328
SHA256 b9310a99f1b60959f6b725eea74623dc491adec55da740c17e8c7e02f35818f5
SHA512 6fc04e1e22ebf8920b4928a8086cf3e0814d155f79f80d71622916f6a0911262382710e5ee2acea653db4b387730e201134592cb9992b14f3aef8b09d83bda90

/data/user/0/com.moon.hao2.mhnn3/files/__pasys_remote_banner.jar

MD5 c601107d24f96646ae86f74b0fea880c
SHA1 8a8ce84fe5b6e186ddcd69c8757de4fb1aae7ed1
SHA256 939120d702d97dc47c6963d98dc1d2694e0fae5f5d5199c0755f54741a3c2a16
SHA512 b573a0d74ea8c6e99c3ebad4ac7b42ce46940231f8a90c9b19c887c6c20356235241068d187aab2bae9914c3df84cbe80bca13b5b6d070247353f5e5eb282f33

/data/data/com.moon.hao2.mhnn3/files/umeng_it.cache

MD5 0e675e6426a811cca04108e36f311036
SHA1 ecad3630318c93a7fe4dca9fdad0e22cb55e8d71
SHA256 11ead35990d1cda1d4e590959e3a95fce341167f90e22cbe1abe1c6e20dcb90a
SHA512 e76fef43765fab8fdd3c675ebaba64feded361c9a8a0ac185bac62b484263cfa506522846c941dbe27d8213ef7dc91885c06a6e404e3d349e39479f566182331

/data/data/com.moon.hao2.mhnn3/files/.imprint

MD5 03ae81f5bb749d37712d3149293656ec
SHA1 baaa32399443118d4c3630bbbc2785f6dfce7ea4
SHA256 66f11f5f1188ceecc7459462558793349c093b69217a4a0611601c5da00fccd9
SHA512 dc5e69b94f081c50fee84e722556995056e821dfb6f8fedbca2380d004ed1df63f5f8b496c26d849ecf0e7e0819587c2a80c572567da32c73298d2c3538c6bd5

/data/data/com.moon.hao2.mhnn3/files/umeng_it.cache

MD5 ee651f056698d17bb748e47b23784cd3
SHA1 b2f480c92c12d5dbfc6e8fd2783883cdb0bb11ac
SHA256 31cce6e14508f9eebaecd8a7eb17eecd504b41c5178ceb0def4d1f1c2d60a82c
SHA512 170c16e44382e736cb4b59a63d5a4f28595df197c163b8857c39d1c6112aecefe08b279aaca14ccc9546a601ca2f7ca8053e74c931ca59300fd44bc17135485b

/data/data/com.moon.hao2.mhnn3/files/oat/__pasys_remote_banner.jar.cur.prof

MD5 d1f9bac1b1e5f35eb52d2317d8892e96
SHA1 9b79db483170d5a6ad27207d766d1e7bc282c588
SHA256 3f8291af2c0eae46601ed6257a705097bdf95758257e3803a25609de7b63976c
SHA512 ac92dfa0b2f398b84aa3fcf753cb789cd97041693558bbbd868c054422331161f30a4ea78b83c0844e69a71621ae5efc3a47783e411dbd85a9ebc91f65f0bd01

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-14 21:12

Reported

2024-06-14 21:15

Platform

android-x64-20240611.1-en

Max time kernel

160s

Max time network

181s

Command Line

com.moon.hao2.mhnn3

Signatures

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.moon.hao2.mhnn3/files/__pasys_remote_banner.jar N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Description Indicator Process Target
N/A alog.umeng.com N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.moon.hao2.mhnn3

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 blog.sina.com.cn udp
CN 202.108.0.52:80 blog.sina.com.cn tcp
US 1.1.1.1:53 mobads.baidu.com udp
CN 182.61.200.101:80 mobads.baidu.com tcp
CN 182.61.200.101:80 mobads.baidu.com tcp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.178:80 alog.umeng.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.187.232:443 ssl.google-analytics.com tcp
GB 172.217.16.234:443 tcp
CN 182.61.200.101:80 mobads.baidu.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
CN 223.109.148.179:80 alog.umeng.com tcp
CN 223.109.148.176:80 alog.umeng.com tcp
GB 172.217.16.226:443 tcp
GB 142.250.178.14:443 tcp
GB 142.250.178.4:443 tcp
GB 142.250.178.4:443 tcp
CN 223.109.148.130:80 alog.umeng.com tcp
GB 172.217.169.46:443 tcp
CN 223.109.148.177:80 alog.umeng.com tcp
US 1.1.1.1:53 alog.umeng.co udp
US 1.1.1.1:53 mobads.baidu.com udp
CN 182.61.200.101:80 mobads.baidu.com tcp
CN 182.61.200.101:80 mobads.baidu.com tcp

Files

/data/data/com.moon.hao2.mhnn3/files/__pasys_remote_banner.tmp.jar

MD5 2ad9fb4b2d9b333883b7e38f61c2fd2f
SHA1 5b85041452d173ed0d81d25b9ca78608a998e328
SHA256 b9310a99f1b60959f6b725eea74623dc491adec55da740c17e8c7e02f35818f5
SHA512 6fc04e1e22ebf8920b4928a8086cf3e0814d155f79f80d71622916f6a0911262382710e5ee2acea653db4b387730e201134592cb9992b14f3aef8b09d83bda90

/data/user/0/com.moon.hao2.mhnn3/files/__pasys_remote_banner.jar

MD5 c601107d24f96646ae86f74b0fea880c
SHA1 8a8ce84fe5b6e186ddcd69c8757de4fb1aae7ed1
SHA256 939120d702d97dc47c6963d98dc1d2694e0fae5f5d5199c0755f54741a3c2a16
SHA512 b573a0d74ea8c6e99c3ebad4ac7b42ce46940231f8a90c9b19c887c6c20356235241068d187aab2bae9914c3df84cbe80bca13b5b6d070247353f5e5eb282f33

/data/data/com.moon.hao2.mhnn3/files/umeng_it.cache

MD5 701b80a588aeb3ebd26106873c48f908
SHA1 75b28870454fe8349dc61b8400ae62413f916b5c
SHA256 4fb814fd0c79078baf188d0d48c583cb8fb4bf12b692d0c700fd895d9e88ffb9
SHA512 4231a36b493b93ed0cfbe6f476b06d986ebe3aee27754bf014df464b547ff120b34c0e4482c63060031793d0c49d2fb6c70ddb121b68cd1781d9a9ecdd7d5bb8

/data/data/com.moon.hao2.mhnn3/files/oat/__pasys_remote_banner.jar.cur.prof

MD5 12ab7f7aac8ea6c3ac2d06cd4ed40c09
SHA1 e4b380110108c1eed2effc44348d47169c3553f7
SHA256 492d1a9638c9ba43dde1eb956cea5e0a16365c826596c76faefda64342dc3940
SHA512 93a536ef2b2fc55018c7cbd4c9bd4432e707b578f57fc6b1ccdbdd68b46252c27b907ea603c8c2728eaa74fc6725e634d0da29654e23b50e3650b509e017e4c2

/data/data/com.moon.hao2.mhnn3/files/.um/um_cache_1718399602388.env

MD5 a897aa4ee8b44b17f727d118b142da8b
SHA1 99e7a820d1b0d3cfad0e706968519f3ca8c976ff
SHA256 ecce0cbc3d0770dfe7ee93c5f21f36efe86d26ce6ebf10ce7b2999b495755f18
SHA512 b39509a8b30de0e6cb4340de3a64dbe107e79d206209d04f515477b10376c95e3c76df19ca963cd58e9a6f3bc29545a0b4667b822a824c9d3dc76572ca5563e0

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-14 21:12

Reported

2024-06-14 21:15

Platform

android-x64-arm64-20240611.1-en

Max time kernel

161s

Max time network

182s

Command Line

com.moon.hao2.mhnn3

Signatures

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.moon.hao2.mhnn3/files/__pasys_remote_banner.jar N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Description Indicator Process Target
N/A alog.umeng.com N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.moon.hao2.mhnn3

Network

Country Destination Domain Proto
GB 142.250.187.206:443 tcp
GB 142.250.187.206:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 blog.sina.com.cn udp
CN 202.108.0.52:80 blog.sina.com.cn tcp
US 1.1.1.1:53 mobads.baidu.com udp
CN 182.61.200.101:80 mobads.baidu.com tcp
CN 182.61.200.101:80 mobads.baidu.com tcp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.141:80 alog.umeng.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
CN 182.61.200.101:80 mobads.baidu.com tcp
CN 223.109.148.179:80 alog.umeng.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 tcp
CN 223.109.148.176:80 alog.umeng.com tcp
CN 223.109.148.177:80 alog.umeng.com tcp
US 1.1.1.1:53 alog.umeng.co udp
US 1.1.1.1:53 mobads.baidu.com udp
CN 182.61.200.101:80 mobads.baidu.com tcp
CN 182.61.200.101:80 mobads.baidu.com tcp

Files

/data/user/0/com.moon.hao2.mhnn3/files/__pasys_remote_banner.tmp.jar

MD5 2ad9fb4b2d9b333883b7e38f61c2fd2f
SHA1 5b85041452d173ed0d81d25b9ca78608a998e328
SHA256 b9310a99f1b60959f6b725eea74623dc491adec55da740c17e8c7e02f35818f5
SHA512 6fc04e1e22ebf8920b4928a8086cf3e0814d155f79f80d71622916f6a0911262382710e5ee2acea653db4b387730e201134592cb9992b14f3aef8b09d83bda90

/data/user/0/com.moon.hao2.mhnn3/files/__pasys_remote_banner.jar

MD5 c601107d24f96646ae86f74b0fea880c
SHA1 8a8ce84fe5b6e186ddcd69c8757de4fb1aae7ed1
SHA256 939120d702d97dc47c6963d98dc1d2694e0fae5f5d5199c0755f54741a3c2a16
SHA512 b573a0d74ea8c6e99c3ebad4ac7b42ce46940231f8a90c9b19c887c6c20356235241068d187aab2bae9914c3df84cbe80bca13b5b6d070247353f5e5eb282f33

/data/user/0/com.moon.hao2.mhnn3/files/umeng_it.cache

MD5 6609847488f81cb910a9db2bf1246c27
SHA1 991fa79f944f294bfd8b53f2111311ed870bb4d4
SHA256 c7eab15fc93ab542cdbddcf03ebc04a7bc3df4ca860bd1995b4f795c2ae5bc1b
SHA512 1d9a431db8a2629d9bf0df16b585865311cc35721dd7bd92397bf450503891047094d8471047a6b304d93179947764446fd589c98773be57c4aa8c6f4a9e62c1

/data/user/0/com.moon.hao2.mhnn3/files/oat/__pasys_remote_banner.jar.cur.prof

MD5 03315d134b33df8e66371c3805b81230
SHA1 49f5491ca8a30fa3b051e8604b9c79d27f157aed
SHA256 3f2ff05978b2056d20118d502605b9e637820e1d00f4bae7f419cb951754178e
SHA512 91164900c11f56ce83ec05f9133a532dbb8d0a4ae43ca2e55f7069845f006530471671141f78be9c00818b7f7ee6f555cbd0de8a60eed08b8610adf8aa1a2432

/data/user/0/com.moon.hao2.mhnn3/files/.um/um_cache_1718399603347.env

MD5 df8bd7fa3a0aa0d41e2085f23602df4c
SHA1 34b36eda5214152fb37b8928aa3b40be206061aa
SHA256 d665f1bec40191fa6294eebe01b82726e95eb6b8e1c40f95f9d6ff10fc2c7a68
SHA512 64b0b615e2990a650bca57bd609539f8633cdb3fe4b86db5b2eeb1a1e5b4a70d75749eb0308011e791380023d7a265a404150ddafd6352cacbad4019ef1dcb3a

Analysis: behavioral4

Detonation Overview

Submitted

2024-06-14 21:12

Reported

2024-06-14 21:12

Platform

android-x86-arm-20240611.1-en

Max time network

4s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-06-14 21:12

Reported

2024-06-14 21:12

Platform

android-x64-20240611.1-en

Max time network

6s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-06-14 21:12

Reported

2024-06-14 21:12

Platform

android-x64-arm64-20240611.1-en

Max time network

6s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
GB 142.250.187.206:443 tcp
GB 142.250.187.206:443 tcp
N/A 224.0.0.251:5353 udp

Files

N/A