Malware Analysis Report

2025-01-19 07:45

Sample ID 240615-batvcstbla
Target ac522929ae914a28b35b7258c2339e52_JaffaCakes118
SHA256 c324e0125aa7e4ec912f55bc51426774c8833363bc43ccc1df4e6437128f1286
Tags
discovery evasion persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

c324e0125aa7e4ec912f55bc51426774c8833363bc43ccc1df4e6437128f1286

Threat Level: Shows suspicious behavior

The file ac522929ae914a28b35b7258c2339e52_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery evasion persistence

Loads dropped Dex/Jar

Queries information about the current Wi-Fi connection

Requests dangerous framework permissions

Queries the unique device ID (IMEI, MEID, IMSI)

Registers a broadcast receiver at runtime (usually for listening for system events)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-15 00:57

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-15 00:56

Reported

2024-06-15 01:00

Platform

android-x86-arm-20240611.1-en

Max time kernel

2s

Max time network

139s

Command Line

com.coolang.oem

Signatures

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.coolang.oem/app_plugin/PlayerUIApk.apk N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Processes

com.coolang.oem

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 api.youku.com udp
GB 216.58.212.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp

Files

/data/data/com.coolang.oem/app_plugin/PlayerUIApk.apk

MD5 453960899faf2f8710b4a89f40ff3070
SHA1 83b43b3fa9be3074300a336772d5360a5b5e4b95
SHA256 fb48fe020d71a13ce48fee53e54cb6e0120dd3fb94519ea376f170b18fb60a4a
SHA512 1824db0130b002f908f63703f247a4fce985a92b4389b6de66c991fd19ef47f724b3c71d045bb13f71c22fe2965a61b023249f1758236b69bcbef3ac522742fb

/data/user/0/com.coolang.oem/app_plugin/PlayerUIApk.apk

MD5 ac0c01be752771d01bec41ace38a337a
SHA1 341f50c23a97d311bcb6971ff4732b20fa32d4fe
SHA256 4b89f24a04562e927cf38149227f05f9049b2507adec6bdb67b808d68ad4a316
SHA512 0d326ebff770f6a20b8db1e5de8df12d6a36799e03622fe89ca08bb51e799950590bd19d027342f0031256d54676c1244900d46ed02e79fd543e36671ed9208b

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-15 00:56

Reported

2024-06-15 01:00

Platform

android-x64-20240611.1-en

Max time kernel

3s

Max time network

132s

Command Line

com.coolang.oem

Signatures

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.coolang.oem/app_plugin/PlayerUIApk.apk N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Requests dangerous framework permissions

Description Indicator Process Target
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Processes

com.coolang.oem

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.204.72:443 ssl.google-analytics.com tcp
GB 172.217.169.10:443 tcp
US 1.1.1.1:53 api.youku.com udp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp
GB 172.217.169.78:443 tcp
GB 142.250.179.226:443 tcp
GB 172.217.169.42:443 tcp
GB 142.250.187.196:443 tcp
GB 142.250.187.196:443 tcp
GB 172.217.169.14:443 tcp
GB 172.217.169.74:443 tcp
GB 172.217.169.74:443 tcp

Files

/data/data/com.coolang.oem/app_plugin/PlayerUIApk.apk

MD5 453960899faf2f8710b4a89f40ff3070
SHA1 83b43b3fa9be3074300a336772d5360a5b5e4b95
SHA256 fb48fe020d71a13ce48fee53e54cb6e0120dd3fb94519ea376f170b18fb60a4a
SHA512 1824db0130b002f908f63703f247a4fce985a92b4389b6de66c991fd19ef47f724b3c71d045bb13f71c22fe2965a61b023249f1758236b69bcbef3ac522742fb

/data/user/0/com.coolang.oem/app_plugin/PlayerUIApk.apk

MD5 ac0c01be752771d01bec41ace38a337a
SHA1 341f50c23a97d311bcb6971ff4732b20fa32d4fe
SHA256 4b89f24a04562e927cf38149227f05f9049b2507adec6bdb67b808d68ad4a316
SHA512 0d326ebff770f6a20b8db1e5de8df12d6a36799e03622fe89ca08bb51e799950590bd19d027342f0031256d54676c1244900d46ed02e79fd543e36671ed9208b

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-15 00:56

Reported

2024-06-15 01:00

Platform

android-x86-arm-20240611.1-en

Max time network

161s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 216.58.201.110:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.204.78:443 android.apis.google.com tcp
GB 216.58.212.202:443 tcp
GB 216.58.212.202:443 tcp

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-06-15 00:56

Reported

2024-06-15 01:00

Platform

android-x64-20240611.1-en

Max time network

132s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.212.200:443 ssl.google-analytics.com tcp
GB 142.250.179.234:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.204.78:443 android.apis.google.com tcp
GB 142.250.200.14:443 tcp
GB 172.217.169.66:443 tcp
GB 216.58.201.100:443 tcp
GB 216.58.201.100:443 tcp
GB 216.58.204.78:443 android.apis.google.com tcp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-06-15 00:56

Reported

2024-06-15 01:00

Platform

android-x64-arm64-20240611.1-en

Max time network

133s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.200.8:443 ssl.google-analytics.com tcp
GB 142.250.187.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 tcp

Files

N/A