Malware Analysis Report

2024-10-19 11:48

Sample ID 240615-dbj3naxalb
Target aca48d63a70d9665f5bf87a2eeae9a40_JaffaCakes118
SHA256 786b31df3335677fc5eee17e8c9c661ddb4555dc1f8da2e902daed6a60d98541
Tags
banker collection discovery persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

786b31df3335677fc5eee17e8c9c661ddb4555dc1f8da2e902daed6a60d98541

Threat Level: Shows suspicious behavior

The file aca48d63a70d9665f5bf87a2eeae9a40_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

banker collection discovery persistence

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Reads the content of the browser bookmarks.

Queries the unique device ID (IMEI, MEID, IMSI)

Requests dangerous framework permissions

Queries information about active data network

Queries information about the current Wi-Fi connection

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks CPU information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-15 02:50

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-15 02:50

Reported

2024-06-15 02:53

Platform

android-x86-arm-20240611.1-en

Max time kernel

179s

Max time network

173s

Command Line

com.terrynow.easyfonts

Signatures

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Reads the content of the browser bookmarks.

collection
Description Indicator Process Target
URI accessed for read content://browser/bookmarks N/A N/A
URI accessed for write content://browser/bookmarks N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Processes

com.terrynow.easyfonts

Network

Country Destination Domain Proto
GB 142.250.180.14:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 client.azrj.cn udp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.204.78:443 android.apis.google.com tcp

Files

/data/data/com.terrynow.easyfonts/databases/fonts-journal

MD5 6143d1af99b3e272a288459b8459dcf7
SHA1 146178c62075b8c4fdd757f93314acac5392d4ce
SHA256 bfe7256a34daa9b1eec0489cea462bf581d2d8329a87f1f0965fd813c0f4fb87
SHA512 1be4d553b4f71d819829f59a3fcf3806a79d54e6e016d23828547f04d74613a408982726d77e420dd8a1b0609f22496d8814d9f909ac738b1815fb106cee2c89

/data/data/com.terrynow.easyfonts/databases/fonts

MD5 5f92189f38ca61b95d8e042ce19602a7
SHA1 28a4e3c6596a27515116359a54e793a0c886c27c
SHA256 48d718ec464df31798df8ce4df87825e676f04ee3925dde783eccab7948e8916
SHA512 a08177e89515b6257709097f99c3c3b25e018c806ceed17ce8782e91937d5eb0d6622539ed961a31909c13d540a51b61c78297611951ff8792579f2c4fc36289

/data/data/com.terrynow.easyfonts/databases/fonts-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.terrynow.easyfonts/databases/fonts-wal

MD5 fbc433a87279747497ca953f3668124f
SHA1 b82f4315ae39f9d909142fc673956183fa1f2876
SHA256 2930e386173ddfed1fd8da80c2a38ca6175adbe475a221b84b64dddc928266d6
SHA512 cb87d1301033fad88b7be5718f6e36fb9aa60684fbefdae4782df6962d4b02251d961ab9a1453750cd57dabe279c3b753434265464b0ed3effb2636ec75680d2

/storage/emulated/0/easyfonts/Roboto-Regular.ttf_tmp

MD5 86da78cb59576328483a11c6ef74bc2b
SHA1 00d62fbdc8d5dec4c659005e116d0ba2ee63b547
SHA256 797e35f7f5d6020a5c6ea13b42ecd668bcfb3bbc4baa0e74773527e5b6cb3174
SHA512 451f76349240540616007e02deffe5eb6c112846b1896f70ea6dfdbda24057da8af55febc98ae189db86b4c9dc6b14d8357a29a82a5de46a2154887d6dedc381

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-15 02:50

Reported

2024-06-15 02:53

Platform

android-x64-20240611.1-en

Max time kernel

179s

Max time network

152s

Command Line

com.terrynow.easyfonts

Signatures

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Reads the content of the browser bookmarks.

collection
Description Indicator Process Target
URI accessed for write content://browser/bookmarks N/A N/A
URI accessed for read content://browser/bookmarks N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Processes

com.terrynow.easyfonts

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.180.8:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 www.umeng.com udp
US 1.1.1.1:53 client.azrj.cn udp
CN 59.82.29.162:80 www.umeng.com tcp
GB 142.250.200.10:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
CN 59.82.29.163:80 www.umeng.com tcp
GB 142.250.200.46:443 tcp
CN 59.82.29.248:80 www.umeng.com tcp
CN 59.82.29.249:80 www.umeng.com tcp
GB 216.58.212.238:443 tcp
GB 142.250.200.2:443 tcp
CN 59.82.31.154:80 www.umeng.com tcp
GB 172.217.169.68:443 tcp
GB 172.217.169.68:443 tcp
CN 59.82.31.160:80 www.umeng.com tcp
CN 59.82.31.210:80 www.umeng.com tcp
CN 59.82.31.92:80 www.umeng.com tcp
CN 59.82.31.95:80 www.umeng.com tcp
CN 59.82.60.43:80 www.umeng.com tcp
CN 59.82.60.44:80 www.umeng.com tcp
CN 59.82.112.112:80 www.umeng.com tcp
US 1.1.1.1:53 www.umeng.co udp

Files

/data/data/com.terrynow.easyfonts/databases/fonts-journal

MD5 051b92242a4c2f4abd412f088c47298f
SHA1 8e3766735b34228c2a95c96f13cf78dd8b14fcf4
SHA256 6e4b963f2d4b081396058a2c316a6ccb8dc3587c3da3e3e255d858938047656b
SHA512 aa822251a571197517a5fabc134a7567c7a568f0b2297d41505633ba4e6d5503321a3357374b5a3dbcd59e6988b02066a549a4c70819a8490280d87df0ba4e58

/data/data/com.terrynow.easyfonts/databases/fonts

MD5 7679783300d300726976a2ebc69b6ced
SHA1 01323cd82fac2a024d6f18ff1180e5caea61ac2e
SHA256 723512c3f192b5816043624da165083b1dcea54e95c6a6736cfca9002e78794e
SHA512 ac78fca4e632382d4d82b9682eec674f7e9e166976b93929a11113530553399d1e0a0fefb0cd809264c2715f3a0b95a00dd23ab1a161589baa108a56dc74d40c

/data/data/com.terrynow.easyfonts/databases/fonts-journal

MD5 1ec75f9d9ca3d0d66c41207c9b6b4e6b
SHA1 6588228dcc39ba68c50424f5fe755ef9798856ef
SHA256 56bb18895df6546790cf78d9986011ea88835269d913d5a668b925231de001c3
SHA512 7738e29ac667b555645fe8560735e3134f869cc91ad32b298fb224e0d6ec0e6628c97e06d37dd7f952c4216d363d37e773f14076be4f72be87903611d317f9d1

/data/data/com.terrynow.easyfonts/databases/fonts-journal

MD5 cdcaeba435b2e34578ea90827ae5b542
SHA1 bc6f9c6edf5cb5de4685673614081094e5d0dac1
SHA256 e6046beff2e9efd4db7d14780ad95f0908a7bd3310a94b3dc21cae5b9d7acbae
SHA512 67c343cd1b88b74166b0cf4661d8c367f2b58c9565142bc5b9fa695abb5d5bb9da84d3449ebc438b4eb91a573c51d39df49b032ee895e96e089f4babf591fa19

/storage/emulated/0/easyfonts/Roboto-Regular.ttf_tmp

MD5 86da78cb59576328483a11c6ef74bc2b
SHA1 00d62fbdc8d5dec4c659005e116d0ba2ee63b547
SHA256 797e35f7f5d6020a5c6ea13b42ecd668bcfb3bbc4baa0e74773527e5b6cb3174
SHA512 451f76349240540616007e02deffe5eb6c112846b1896f70ea6dfdbda24057da8af55febc98ae189db86b4c9dc6b14d8357a29a82a5de46a2154887d6dedc381

/data/data/com.terrynow.easyfonts/files/mobclick_agent_cached_com.terrynow.easyfonts

MD5 dc1ef822ee4f4070c9647ce1d9b14928
SHA1 4bef799af1b26b58d1482eced277356f40d2528b
SHA256 41e505bfa78627b72764e2f899524a74530d6842d9ed2c20a4986be91f7e283c
SHA512 06ffdd6b09a0719d01d87815a687363210a995c43a4168a363a135d5c35fc6a056be64661f53df841802334341e4059776b7e77c764e622f2a56930c24ed8121

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-15 02:50

Reported

2024-06-15 02:53

Platform

android-x64-arm64-20240611.1-en

Max time kernel

179s

Max time network

174s

Command Line

com.terrynow.easyfonts

Signatures

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Reads the content of the browser bookmarks.

collection
Description Indicator Process Target
URI accessed for read content://browser/bookmarks N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Processes

com.terrynow.easyfonts

Network

Country Destination Domain Proto
GB 142.250.187.206:443 tcp
GB 142.250.187.206:443 tcp
N/A 224.0.0.251:5353 udp
GB 172.217.16.234:443 tcp
GB 172.217.16.234:443 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.200.8:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 www.umeng.com udp
US 1.1.1.1:53 client.azrj.cn udp
CN 59.82.29.162:80 www.umeng.com tcp
CN 59.82.29.163:80 www.umeng.com tcp
CN 59.82.29.248:80 www.umeng.com tcp
CN 59.82.29.249:80 www.umeng.com tcp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 tcp
CN 59.82.31.154:80 www.umeng.com tcp
CN 59.82.31.160:80 www.umeng.com tcp
CN 59.82.31.210:80 www.umeng.com tcp
CN 59.82.31.92:80 www.umeng.com tcp
CN 59.82.31.95:80 www.umeng.com tcp
CN 59.82.60.43:80 www.umeng.com tcp
GB 216.58.201.110:443 tcp
CN 59.82.60.44:80 www.umeng.com tcp
CN 59.82.112.112:80 www.umeng.com tcp
US 1.1.1.1:53 www.umeng.co udp

Files

/data/user/0/com.terrynow.easyfonts/databases/fonts-journal

MD5 1e1c1a886ccb7e6eca421107a676f734
SHA1 92b516d27a7e06e5bbcb331d1816ddab171cbf2d
SHA256 d3be1670d4d7b88834e66ddf028b414ad7b9a182b2e0ff116b31e5e6829c8105
SHA512 79dfa5d90893886d95d7d2af814215918eb2ef9e321af220ac3d3880efd2707faa9707e77f62a9e1e5667070e373736c69f1e20cdf5345c06997fb510f552df1

/data/user/0/com.terrynow.easyfonts/databases/fonts

MD5 28f51107c94d1366387fdb5b0757f72d
SHA1 9bb1dff152556ef534e249ae432ca427fe9b6835
SHA256 cc0eb6d570355f79447919f5a03f36c8f4f4cdc522c5d842fb441440aaac125e
SHA512 f5db4d0cd004267ea478d7113d41318c06232e98246d74251cb27cbb6597593acd45b570be1daeb0f30116c3fd9aa8fa58993e477231ecb4752038c863940287

/data/user/0/com.terrynow.easyfonts/databases/fonts-journal

MD5 cea70f91f25631a2c03ab146d4321293
SHA1 8a4f8e890d3ba51deac2431aa4717a76c06d3b25
SHA256 57f4bcfe62f3b339b77dc0fd9e10f22b47b4b489b3c88a9548b13d1aca988aa0
SHA512 cc5731e27f4aa771b00dd5af21379d2104f4d838b4f2e47f08802f5801d03b0e2a54c1cb64a9eadb649573da1d5c3359f79c5cd0976da127f6df4c8c27e6ef53

/data/user/0/com.terrynow.easyfonts/databases/fonts-journal

MD5 337655fdf874f2a623b10a4b18e5372c
SHA1 1957b52e0fbb810566020a2ea2b1b446d51ed608
SHA256 67900f13ac5c90defca689dc5b7c63f3aa5feada5c4e50d9b06c61ac0bd9ce11
SHA512 ac4e8504c07ded3bd803cf293f2a3d49099961beb086fa59cd0bbee97c740de8db83dca7bd190552aa1ce54a978eb2178951c53c8296a9358c2778ad5ee942fc

/storage/emulated/0/easyfonts/Roboto-Regular.ttf_tmp

MD5 86da78cb59576328483a11c6ef74bc2b
SHA1 00d62fbdc8d5dec4c659005e116d0ba2ee63b547
SHA256 797e35f7f5d6020a5c6ea13b42ecd668bcfb3bbc4baa0e74773527e5b6cb3174
SHA512 451f76349240540616007e02deffe5eb6c112846b1896f70ea6dfdbda24057da8af55febc98ae189db86b4c9dc6b14d8357a29a82a5de46a2154887d6dedc381

/data/user/0/com.terrynow.easyfonts/files/mobclick_agent_cached_com.terrynow.easyfonts

MD5 bbe5db3b40f3b674db424aa72eb7aed3
SHA1 e8c937a77d14726d70f394383705e459b7ba8758
SHA256 ee4ba52ed097c84b4715855a4f74142a37a9cb392ade839d13c54c34485096d2
SHA512 d49b50f0bd2dc8ce8f31a66cd9db338c78d5d9985330a8a6caa597f9b59420ea57102e7dcc961a78d5dc6a1dfdc901b78e171901407f8d67552b89ed05ad9ee2