Malware Analysis Report

2024-09-09 16:01

Sample ID 240615-eq9gjaydmh
Target acd5e3a943d00709b9d6678d5b000bbf_JaffaCakes118
SHA256 444a2634df68d083b1e1d7004ec1d4d52d25d2ff7f62d9275bfa71937a7bb554
Tags
discovery evasion persistence collection credential_access impact
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

444a2634df68d083b1e1d7004ec1d4d52d25d2ff7f62d9275bfa71937a7bb554

Threat Level: Shows suspicious behavior

The file acd5e3a943d00709b9d6678d5b000bbf_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery evasion persistence collection credential_access impact

Obtains sensitive information copied to the device clipboard

Queries the unique device ID (IMEI, MEID, IMSI)

Queries information about the current Wi-Fi connection

Queries the mobile country code (MCC)

Requests dangerous framework permissions

Checks the presence of a debugger

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks CPU information

Checks memory information

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-15 04:09

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to read the user's calendar data. android.permission.READ_CALENDAR N/A N/A
Allows an application to write the user's calendar data. android.permission.WRITE_CALENDAR N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-15 04:09

Reported

2024-06-15 04:13

Platform

android-x86-arm-20240611.1-en

Max time kernel

153s

Max time network

172s

Command Line

com.lng168.yxtapp

Signatures

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Checks the presence of a debugger

evasion

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.lng168.yxtapp

Network

Country Destination Domain Proto
GB 172.217.169.74:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 yzx2.lng168.com udp
CN 47.95.241.237:80 yzx2.lng168.com tcp
CN 47.95.241.237:80 yzx2.lng168.com tcp
CN 47.95.241.237:80 yzx2.lng168.com tcp
CN 47.95.241.237:80 yzx2.lng168.com tcp
CN 47.95.241.237:80 yzx2.lng168.com tcp
CN 47.95.241.237:80 yzx2.lng168.com tcp
GB 142.250.187.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.212.238:443 android.apis.google.com tcp
CN 47.95.241.237:80 yzx2.lng168.com tcp
CN 47.95.241.237:80 yzx2.lng168.com tcp

Files

/data/data/com.lng168.yxtapp/databases/_ionicstorage-journal

MD5 735dbbe6015b1ff90cc821c0f88b96a3
SHA1 e4efbc5549ed1fa04ebe80c7dcf9921c8a53236c
SHA256 3e0a393b8882d3a6a82b14ed5389f8a88be7186d08920fd663aa1cfe80ba76fc
SHA512 ca684d8835c069cdf7bb0c45595bc8046e59b94a9652284a4e2b3d938fb7758a8e6cf1ac0605a881c98a99c71239f001ce153aa79794fcf352fc46bdd57bf1d2

/data/data/com.lng168.yxtapp/databases/_ionicstorage

MD5 61143da4a088455681eb3f4dff524952
SHA1 0750021af8aa346caff662acfe66600310a645e7
SHA256 0af141959bf6e4b7dfe7471ae7993c2416375bfb29a78fa724762a918f0c27b5
SHA512 1f3e48c582338afc10b0eafb13da5a8508949359d28f10083f981fc8d516d2fc3a81bdbb6eeaafb262f78d6bebe8ad1025a99a0db0a2f0f39a071b77b4191b1a

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-15 04:09

Reported

2024-06-15 04:13

Platform

android-x64-20240611.1-en

Max time kernel

160s

Max time network

182s

Command Line

com.lng168.yxtapp

Signatures

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Checks the presence of a debugger

evasion

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.lng168.yxtapp

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.212.232:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 yzx2.lng168.com udp
CN 47.95.241.237:80 yzx2.lng168.com tcp
CN 47.95.241.237:80 yzx2.lng168.com tcp
CN 47.95.241.237:80 yzx2.lng168.com tcp
CN 47.95.241.237:80 yzx2.lng168.com tcp
CN 47.95.241.237:80 yzx2.lng168.com tcp
CN 47.95.241.237:80 yzx2.lng168.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
GB 142.250.200.14:443 tcp
GB 172.217.169.66:443 tcp
GB 216.58.201.100:443 tcp
GB 216.58.201.100:443 tcp
GB 216.58.204.78:443 tcp
CN 47.95.241.237:80 yzx2.lng168.com tcp
CN 47.95.241.237:80 yzx2.lng168.com tcp
CN 47.95.241.237:80 yzx2.lng168.com tcp

Files

/data/data/com.lng168.yxtapp/databases/_ionicstorage-journal

MD5 6e7c42b18aa6bbb92d9c3c02d01bfdb4
SHA1 8c2e94ed8c8dc2de5c88103cb313399b02160137
SHA256 78f41021c350f4adcae1a08d45d248d4c5955f3def062e2dd9f12d2819c2f2be
SHA512 aacdb50137e3b31bb8960b450212b97c1d8d1d2897941c0a4e10994ec64ed3cf4891a183a4c1e6541eb99228cfc1db15e8cabfc13e4f0cbd40bcae2e5432d7b0

/data/data/com.lng168.yxtapp/databases/_ionicstorage

MD5 61143da4a088455681eb3f4dff524952
SHA1 0750021af8aa346caff662acfe66600310a645e7
SHA256 0af141959bf6e4b7dfe7471ae7993c2416375bfb29a78fa724762a918f0c27b5
SHA512 1f3e48c582338afc10b0eafb13da5a8508949359d28f10083f981fc8d516d2fc3a81bdbb6eeaafb262f78d6bebe8ad1025a99a0db0a2f0f39a071b77b4191b1a