Malware Analysis Report

2024-07-28 11:34

Sample ID 240614-zbec3avdjc
Target ab556e65ca96f69da7977dcad91b20bc_JaffaCakes118
SHA256 bfd50d7a681ebbe18fbbc2b375737e1f2a54e8d7a28ceef45deb1c301020aa8a
Tags
banker collection discovery evasion impact privilege_escalation stealth trojan
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

bfd50d7a681ebbe18fbbc2b375737e1f2a54e8d7a28ceef45deb1c301020aa8a

Threat Level: Likely malicious

The file ab556e65ca96f69da7977dcad91b20bc_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

banker collection discovery evasion impact privilege_escalation stealth trojan

Removes its main activity from the application launcher

Reads the content of SMS inbox messages.

Loads dropped Dex/Jar

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Queries information about running processes on the device

Reads the contacts stored on the device.

Reads information about phone network operator.

Tries to add a device administrator.

Acquires the wake lock

Queries the unique device ID (IMEI, MEID, IMSI)

Declares broadcast receivers with permission to handle system events

Requests dangerous framework permissions

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-14 20:32

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 20:32

Reported

2024-06-14 20:35

Platform

android-x86-arm-20240611.1-en

Max time kernel

179s

Max time network

169s

Command Line

com.kdneyuiko.xrwxr

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.kdneyuiko.xrwxr/app_pxwdy/qxvnrw.jar N/A N/A
N/A /data/user/0/com.kdneyuiko.xrwxr/app_pxwdy/qxvnrw.jar N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Reads the contacts stored on the device.

collection
Description Indicator Process Target
URI accessed for read content://com.android.contacts/contacts N/A N/A

Reads the content of SMS inbox messages.

collection
Description Indicator Process Target
URI accessed for read content://sms/inbox N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Reads information about phone network operator.

discovery

Tries to add a device administrator.

privilege_escalation impact
Description Indicator Process Target
Intent action android.app.action.ADD_DEVICE_ADMIN N/A N/A

Processes

com.kdneyuiko.xrwxr

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.kdneyuiko.xrwxr/app_pxwdy/qxvnrw.jar --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.kdneyuiko.xrwxr/app_pxwdy/oat/x86/qxvnrw.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
DE 85.93.5.109:80 tcp
GB 216.58.204.78:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.179.238:443 android.apis.google.com tcp
DE 85.93.5.109:80 tcp

Files

/data/data/com.kdneyuiko.xrwxr/app_pxwdy/qxvnrw.jar

MD5 ff264728847ded68d9f24c9bce4686e0
SHA1 0d1e7c3793cbb624745dc7e9500676c6cf0f7b0e
SHA256 8c56b566cc4522764cdc8755d7daa098497fb6c9cc74146e4399777803273dc7
SHA512 697926138d8bc3de9cdea6571cce8b15b54f24ebc3f9afde665dca260d3e01d128a4a28254b8e395de697ed038fd5650e7916d9d873d5626a7c965508d1f7b49

/data/user/0/com.kdneyuiko.xrwxr/app_pxwdy/qxvnrw.jar

MD5 e9e233438d90689dd4214e8a0eae6200
SHA1 e27d14532d63f24c635005ad8eee609100161d42
SHA256 8c538b4cf04b73b168eb9ee1b52c6c393eedeeb6736b6e53df1cecd7c7e549ec
SHA512 57070ce9e281942f67d2396566afa91542d4af55834b024856bc43b93adbc9967322a8ec46dcc47e9b14a8dd908093aa9fee5c88e651335bc7d42efd57d94610

/data/user/0/com.kdneyuiko.xrwxr/app_pxwdy/qxvnrw.jar

MD5 a7251a2c56502de0292795c545a0b98d
SHA1 1831a16bf6f063ca32870e344aaff5c83dbf0f58
SHA256 5b8c194b625af412b2fb6f59d47d4723fe9cc4ca851b0654059bccf594734486
SHA512 de14465bb9dfc2f212bc7c5241dcee748491a5cc5fe669541b4973943915607f01ce045c6b6ca24aa5720fb948bd3afa91e984cb6ba785ea8eee04f672625b79

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-14 20:32

Reported

2024-06-14 20:35

Platform

android-x64-20240611.1-en

Max time kernel

179s

Max time network

175s

Command Line

com.kdneyuiko.xrwxr

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.kdneyuiko.xrwxr/app_pxwdy/qxvnrw.jar N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Reads the contacts stored on the device.

collection
Description Indicator Process Target
URI accessed for read content://com.android.contacts/contacts N/A N/A

Reads the content of SMS inbox messages.

collection
Description Indicator Process Target
URI accessed for read content://sms/inbox N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Reads information about phone network operator.

discovery

Processes

com.kdneyuiko.xrwxr

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 172.217.169.42:443 tcp
DE 85.93.5.109:80 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.204.72:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.14:443 android.apis.google.com tcp
GB 142.250.187.206:443 tcp
GB 142.250.187.194:443 tcp
GB 172.217.16.228:443 tcp
GB 172.217.16.228:443 tcp
GB 142.250.179.238:443 tcp
DE 85.93.5.109:80 tcp

Files

/data/data/com.kdneyuiko.xrwxr/app_pxwdy/qxvnrw.jar

MD5 ff264728847ded68d9f24c9bce4686e0
SHA1 0d1e7c3793cbb624745dc7e9500676c6cf0f7b0e
SHA256 8c56b566cc4522764cdc8755d7daa098497fb6c9cc74146e4399777803273dc7
SHA512 697926138d8bc3de9cdea6571cce8b15b54f24ebc3f9afde665dca260d3e01d128a4a28254b8e395de697ed038fd5650e7916d9d873d5626a7c965508d1f7b49

/data/user/0/com.kdneyuiko.xrwxr/app_pxwdy/qxvnrw.jar

MD5 e9e233438d90689dd4214e8a0eae6200
SHA1 e27d14532d63f24c635005ad8eee609100161d42
SHA256 8c538b4cf04b73b168eb9ee1b52c6c393eedeeb6736b6e53df1cecd7c7e549ec
SHA512 57070ce9e281942f67d2396566afa91542d4af55834b024856bc43b93adbc9967322a8ec46dcc47e9b14a8dd908093aa9fee5c88e651335bc7d42efd57d94610

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-14 20:32

Reported

2024-06-14 20:35

Platform

android-x64-arm64-20240611.1-en

Max time kernel

179s

Max time network

177s

Command Line

com.kdneyuiko.xrwxr

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.kdneyuiko.xrwxr/app_pxwdy/qxvnrw.jar N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Reads the contacts stored on the device.

collection
Description Indicator Process Target
URI accessed for read content://com.android.contacts/contacts N/A N/A

Reads the content of SMS inbox messages.

collection
Description Indicator Process Target
URI accessed for read content://sms/inbox N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Reads information about phone network operator.

discovery

Tries to add a device administrator.

privilege_escalation impact
Description Indicator Process Target
Intent action android.app.action.ADD_DEVICE_ADMIN N/A N/A

Processes

com.kdneyuiko.xrwxr

Network

Country Destination Domain Proto
GB 142.250.187.206:443 tcp
GB 142.250.187.206:443 tcp
N/A 224.0.0.251:5353 udp
GB 172.217.16.234:443 tcp
GB 172.217.16.234:443 tcp
DE 85.93.5.109:80 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.204.72:443 ssl.google-analytics.com tcp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 tcp
DE 85.93.5.109:80 tcp

Files

/data/user/0/com.kdneyuiko.xrwxr/app_pxwdy/qxvnrw.jar

MD5 ff264728847ded68d9f24c9bce4686e0
SHA1 0d1e7c3793cbb624745dc7e9500676c6cf0f7b0e
SHA256 8c56b566cc4522764cdc8755d7daa098497fb6c9cc74146e4399777803273dc7
SHA512 697926138d8bc3de9cdea6571cce8b15b54f24ebc3f9afde665dca260d3e01d128a4a28254b8e395de697ed038fd5650e7916d9d873d5626a7c965508d1f7b49

/data/user/0/com.kdneyuiko.xrwxr/app_pxwdy/qxvnrw.jar

MD5 e9e233438d90689dd4214e8a0eae6200
SHA1 e27d14532d63f24c635005ad8eee609100161d42
SHA256 8c538b4cf04b73b168eb9ee1b52c6c393eedeeb6736b6e53df1cecd7c7e549ec
SHA512 57070ce9e281942f67d2396566afa91542d4af55834b024856bc43b93adbc9967322a8ec46dcc47e9b14a8dd908093aa9fee5c88e651335bc7d42efd57d94610