Malware Analysis Report

2024-09-09 16:00

Sample ID 240615-gjl4rszgka
Target ad0f597b399d63386605b15541cc6d93_JaffaCakes118
SHA256 4b21f82f5c8f9b64de099faa770863ee3ad42592a388d0c6a395a30de1ee85c6
Tags
discovery persistence collection credential_access impact
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

4b21f82f5c8f9b64de099faa770863ee3ad42592a388d0c6a395a30de1ee85c6

Threat Level: Shows suspicious behavior

The file ad0f597b399d63386605b15541cc6d93_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery persistence collection credential_access impact

Obtains sensitive information copied to the device clipboard

Requests dangerous framework permissions

Queries information about the current Wi-Fi connection

Queries the mobile country code (MCC)

Queries the unique device ID (IMEI, MEID, IMSI)

Queries information about active data network

Reads information about phone network operator.

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks memory information

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-15 05:50

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-06-15 05:50

Reported

2024-06-15 05:50

Platform

android-x64-20240611.1-en

Max time network

5s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-06-15 05:50

Reported

2024-06-15 05:50

Platform

android-x64-arm64-20240611.1-en

Max time network

6s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-15 05:50

Reported

2024-06-15 05:53

Platform

android-x86-arm-20240611.1-en

Max time kernel

179s

Max time network

179s

Command Line

net.kairosoft.android.horse_ja

Signatures

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

net.kairosoft.android.horse_ja

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 config.adview.cn udp
CN 211.103.153.95:443 config.adview.cn tcp
CN 211.103.153.95:443 config.adview.cn tcp
GB 216.58.201.110:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp
CN 211.103.153.95:443 config.adview.cn tcp
CN 211.103.153.95:443 config.adview.cn tcp
CN 211.103.153.95:443 config.adview.cn tcp
CN 211.103.153.95:443 config.adview.cn tcp
CN 211.103.153.95:443 config.adview.cn tcp

Files

/data/data/net.kairosoft.android.horse_ja/databases/google_analytics.db-journal

MD5 d9beb1f9c823890e8b456bf146ec62bb
SHA1 ae99e1992eb64a509171c6a633c38066adb9e1ab
SHA256 ba59ebcf284f6e536bd3ae1867080bc998385705e1ee4da34dd042d92e960904
SHA512 e074c25d12914712b088ad4d4d188b97b272b303dc1ee4c799b2420ce08d74e035eb989f63c698dbdb0af06beccd5f6235342d586bb15653ca39728b7f59955f

/data/data/net.kairosoft.android.horse_ja/databases/google_analytics.db

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/net.kairosoft.android.horse_ja/databases/google_analytics.db-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/net.kairosoft.android.horse_ja/databases/google_analytics.db-wal

MD5 b169f569c8031130a5f2d5e35863c456
SHA1 7c7333298fe093603403593d6b3d5a2fdf048a3c
SHA256 f208d413edb64e764df48d35cd99382941708ae5e8967f2c37661713b02e2397
SHA512 0e403f317e30cf4f96a478aa0e2ed10a6a764052f17904640a5764f01be01747488deb8147471bb4b616608865acab296e88ad2f90409e8b48f1d5c142d01413

/data/data/net.kairosoft.android.horse_ja/databases/reqinfo.db-journal

MD5 5a89d9620096235107d6bc22c9bae945
SHA1 88b6d17d675740a0a8dbf272af19523e20aca3d7
SHA256 c20768b2fc57737982feece7cc3c99bda09f11f6edcc7b71a5c705af34fbc3d2
SHA512 7dbc480637e3700e41af8b6d5479173a093daaa509cbb20f6a41e2fd4254ea50aa67b5f40f0f24106446c597657f6129e2616e74f50dbb4caf7ebe5d20d8c915

/data/data/net.kairosoft.android.horse_ja/databases/reqinfo.db

MD5 faa894e54629c824b65b04d3442cb83e
SHA1 2763e002af3a7230676d253bfc19f09252cabcbb
SHA256 89f0359d7c6fd98c2403f473ac879eccca483db035559ab0d0e3d32d9654b9cb
SHA512 2be5b3c02bce0eaf0b1ad75789efed0eba58da89ee6c0c79de799eb40cd3bacffaf4942ac4e82455dabd4f8e459221f1fbe09fb463b3c9c278c19ce694c6d140

/data/data/net.kairosoft.android.horse_ja/databases/reqinfo.db-wal

MD5 69cf6d00fa6a12325422c87ec543fa5b
SHA1 6b2028a2dfaf182d18804e52626991450fadeb70
SHA256 d46332dd9ac50f89df9bffdce807e93fd999f7795df55b02b17a55321b0de596
SHA512 2ee40df999e40ef03cb2c8ee89b68680207bb618489d302e2f9ff15e775d576fefc58e428e2a78563723e4b2d1dfd06d789a8fe3d44dd30f37d0ea1486c676b1

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-15 05:50

Reported

2024-06-15 05:53

Platform

android-x64-20240611.1-en

Max time kernel

179s

Max time network

179s

Command Line

net.kairosoft.android.horse_ja

Signatures

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

net.kairosoft.android.horse_ja

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 172.217.169.42:443 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.179.232:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 config.adview.cn udp
CN 211.103.153.95:443 config.adview.cn tcp
CN 211.103.153.95:443 config.adview.cn tcp
GB 172.217.169.42:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.14:443 android.apis.google.com tcp
GB 142.250.179.238:443 tcp
GB 142.250.187.206:443 tcp
GB 142.250.187.194:443 tcp
GB 172.217.169.42:443 tcp
CN 211.103.153.95:443 config.adview.cn tcp
GB 172.217.16.228:443 tcp
GB 172.217.16.228:443 tcp
CN 211.103.153.95:443 config.adview.cn tcp
CN 211.103.153.95:443 config.adview.cn tcp
CN 211.103.153.95:443 config.adview.cn tcp
CN 211.103.153.95:443 config.adview.cn tcp

Files

/data/data/net.kairosoft.android.horse_ja/databases/google_analytics.db-journal

MD5 063904b26fa6faf340f92193f5d35a86
SHA1 c45499e942af42705e478cd4ed68e9a4b5361e5b
SHA256 83aec6facbdc9ab62b1d51e1ab66fa810f5623ad6ccabcf305e1880b823c4c22
SHA512 ee6be386c818fe6ea6eb127273540c254cd97dc9ba685e59e938040205890297c80bea7af096ce959cbbfeff1eff207ce474f5c3adffd3e08617b397fdf92676

/data/data/net.kairosoft.android.horse_ja/databases/google_analytics.db

MD5 99dee33de90b63d945b3d32d0dfea63f
SHA1 ca2204612d825330c97f653e8583279f65e84fa2
SHA256 df9b1adb1e0f611a1ef9f7fa2b0473638aed7695e5bf67081540a754c887be96
SHA512 10578832634e68efa27f12f73bfdcf5b1e7194c7a93263471711449bd485a858ebc14f2a241dfa1267833eaf137a39098f7da96f5f0151e4c36f60ed17c4d5bb

/data/data/net.kairosoft.android.horse_ja/databases/google_analytics.db-journal

MD5 a1e5321dbe358a7cc7787cf6529efe17
SHA1 c3e1220311b0fa940c7dc848aba6569f439d339d
SHA256 9599593963a778cc3919c510f3d66758825e24c57e2ad55ce13a5dc1f5adbe74
SHA512 1f57d77259dc99889ee052c4b4bf27dad33f461e78ae50291233b4200a6184fcb46f165afb77a6f3378311fbab12f9e6e8e9d184ea746ecb5f7239f05de5c1af

/data/data/net.kairosoft.android.horse_ja/databases/google_analytics.db-journal

MD5 4e7af5a914e7a40d9c44a5795295c02b
SHA1 8e5e236bc408c803d2e39bc46ab0dda4ce1a64e8
SHA256 429d2c5cc8730b979e6c19c99a8ca664c81447d8cccf68517ee2720c2e36872b
SHA512 dc23e0f1965af45cbe5e42f3219c6f2ff996ac1cb3811bd01f7bff4185a2e825b0cae80f886498b9633affac792cb608ff2546f1a8364a9e603bb7089f26e9f2

/data/data/net.kairosoft.android.horse_ja/databases/google_analytics.db-journal

MD5 e3106a8464fed749bfda72336b8fd03b
SHA1 3a292dd8c166056f7d25fef575790313aaf06a79
SHA256 508ec5508c436b9cabb523c5798d9e33ee46b5e676cef4675132dda185879068
SHA512 59049443b6043fe95286393c222334be785ec7bc2c09fc856f8f7f72df4e9ed2b1f3604a821bbffee3291935282602c91d3dd8cf56244200f5bfe65ff9c1a16f

/data/data/net.kairosoft.android.horse_ja/databases/reqinfo.db-journal

MD5 8947301b152041c954762f738cbe7bee
SHA1 305d04c6bbf155bbe9378bb6cadf4ca798cefaef
SHA256 8a4065e5bf76d68cd05d41dc4d6e5c6b2abdf33e1ddfc364bc9a54e1730d5551
SHA512 fec6cf595505cf47d3aebd287e660cafe889ed694b3caf47e8b6c2662c67bf86d92c3b8dedd9fa2375432af385c651e098e394bc8da9df086716999f1277c88e

/data/data/net.kairosoft.android.horse_ja/databases/reqinfo.db

MD5 2decc027d61e34f35329b264b713a25e
SHA1 0d6a97ad1e147ff5cb15d7bc50d016402720c2b1
SHA256 7dd6f54b773436b58acc0b528fedba35d4a98f109c0d5de469f873418d13c567
SHA512 e954c3182c9a19e912014c609366e3e69fb8e9c6a3f890762f0d00558da99a040e9f0e1908049ccd9cc7dd085e9dc51e0af2718cc1c8278118cb77facb0ac277

/data/data/net.kairosoft.android.horse_ja/databases/reqinfo.db-journal

MD5 8914631c7ab272fbf712b532198fab1b
SHA1 356c0008dc44c7ae6862f29309fc665e18757d7f
SHA256 0558c4e3c798056219cc7714d7f316eba83ba079b8b0ae349137d85f888dbec9
SHA512 cbe81803b74a2246c7085415572e654f479055a9af818ceed849299f5635f1efdfccebb697cfcd4f39d0b3c76e4bc5be49d12fe4bf5edee6c0b090625c156249

/data/data/net.kairosoft.android.horse_ja/databases/reqinfo.db-journal

MD5 8affd996a6da06aa72fa81051b3c0027
SHA1 013d60e1d1e38ecf0417c906a3900e6e895e178c
SHA256 66b9e057f7d5afbce4c48ec52b4d2e1ef6951afae8b220e598bbfc80cc5503b1
SHA512 489640c99107d5c7ec81238de7f3d7ef1e106a4a299d3505b647f4c31039ea3105255bdbb8070f2104d77805ecafdebeb54e34af0338d2389ff6eef11036201d

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-15 05:50

Reported

2024-06-15 05:53

Platform

android-x64-arm64-20240611.1-en

Max time kernel

179s

Max time network

180s

Command Line

net.kairosoft.android.horse_ja

Signatures

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

net.kairosoft.android.horse_ja

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.179.234:443 tcp
GB 142.250.179.234:443 tcp
GB 142.250.187.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.178.14:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.212.200:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 config.adview.cn udp
CN 211.103.153.95:443 config.adview.cn tcp
CN 211.103.153.95:443 config.adview.cn tcp
GB 142.250.180.4:443 tcp
GB 142.250.180.4:443 tcp
CN 211.103.153.95:443 config.adview.cn tcp
CN 211.103.153.95:443 config.adview.cn tcp
CN 211.103.153.95:443 config.adview.cn tcp
CN 211.103.153.95:443 config.adview.cn tcp
CN 211.103.153.95:443 config.adview.cn tcp

Files

/data/user/0/net.kairosoft.android.horse_ja/databases/google_analytics.db-journal

MD5 f3fd1b27217ae1accb37742bed7b8454
SHA1 4b04d14ea626d306171a079f66b12f3abd49224e
SHA256 e6ab4bf1f99037790307c705511714a7974bab6357ea408910a7981116ecc572
SHA512 3f838e2d0f30c0a954188f0f8dac03251b77d61fcd80403b6771166a449855c84275ee669905e4369446f85c193d5e84b81b0f3c685a689a5bc1caa41d1db002

/data/user/0/net.kairosoft.android.horse_ja/databases/google_analytics.db

MD5 ba12f53b6f1d877f6082e3720645451f
SHA1 b3e8238a1d4fcee6b8df05ddac0bf35ad11c3842
SHA256 a582148fa6713d72361f1c890ff91beca3d559c4a4378ba868318e3ccbc4f53d
SHA512 d60e4f448883c14fc7de6c7c0a418ff515458c75f9ce524c528797cf7aea951d60b01b66595b8a65207afcbfd5983ae508f56d1835d04758bba4e779d882baa8

/data/user/0/net.kairosoft.android.horse_ja/databases/google_analytics.db-journal

MD5 de56e414bdb778874fc443627ff14800
SHA1 cdcffb68c53e4af2490af250c89dd50b9e3ba0a3
SHA256 153105ba468a94de230adf624f3e7eb7d8f353504e2c11481e2d8b6a335e2c3e
SHA512 03314279338121d51b7470fb255a86254a1f62e61aa32150c861516ea232333579a015c3f1cc42dc357929a54d6260dd0a2b2ad671444597d9cc7e6ef63e0e13

/data/user/0/net.kairosoft.android.horse_ja/databases/google_analytics.db-journal

MD5 f34211997b2421b1112085dc81446036
SHA1 2e0c2487a7f26bedc9c1ac40695d51fc4c8cea39
SHA256 1fbb904dc4824e365ce8f6f07dcdb30d280771294e97d3c577591954705d5a04
SHA512 7531a4c46cd1eeb9451eddcc7580219ecdf79415435c9e6f418b7fc5d51f9b66cf802755b10598b62199803aa3d25662cb60caa86bfdb31079cb1d35e1acc1e1

/data/user/0/net.kairosoft.android.horse_ja/databases/google_analytics.db-journal

MD5 ca1e522df127540ab12c412615e71189
SHA1 b8c0b56d8d79f233c96144c78b4ee6373e0df933
SHA256 a72886962a6dfeaafdb5bba9b3c0234cf70ed8c42f85d200c53a91b65ceff3f3
SHA512 a9ba6445525c0fd13d38d3d7790ad9a0bc15ecf4341c9e35329e5b4bf50f3aec4c3b996bef11b0426fae13fe3eb5e2d023f619b823dd6953201106e41ac2f284

/data/user/0/net.kairosoft.android.horse_ja/databases/reqinfo.db-journal

MD5 0ce797ee1c717675467aca6b166d8b00
SHA1 e2c2d28b339b6c95ce3d6b4b20e1d0d2c7b98624
SHA256 9ebfad6a66239acb2406be982939816a39d6a4f761442b895199ab17ae458257
SHA512 24f3486c78e97e7e86bbe558b22f5619b39d21bc52a8aea95281bbb7b6893a76cfe24d6eb46bf01c6a764effa36a61a5616589b1eeb4086b34e7e30524083eef

/data/user/0/net.kairosoft.android.horse_ja/databases/reqinfo.db

MD5 2eb6ccd15bd045758b754a1c9591cbe8
SHA1 3f44b74ac7923d5050b1d1d7ff4dbe332c60673b
SHA256 57c26b757ea53ba399d2835333d76c80fda9f88921cc482edf1e6d2efa7d6a67
SHA512 975c99e9a8f677b5f40efccb0255636bc05c93118b60f18d881b4445a76fc921d0f9499adcf6e4a786d27c360d029fe3c1aaadce096be5621c215b81ce4a9037

/data/user/0/net.kairosoft.android.horse_ja/databases/reqinfo.db-journal

MD5 b7972caa501b9adaa458d14bd958df34
SHA1 4b35d0d28ddd07c9e8f3a38fc4c54b09bdb5bade
SHA256 96318bab2fe5973adf418a2e543c6e7e8dbe64f946510ac622bb5817ba0bf9a1
SHA512 2148b84bb13bda177ae1c865d39c51ce1f379099d61f2e8a9212df90cc1067311133683e10cde54bf303182f3997a1387543bf55c5e29c05efd5108266f5baf4

/data/user/0/net.kairosoft.android.horse_ja/databases/reqinfo.db-journal

MD5 98adff97859d8310f368291e4895e68f
SHA1 d9dd362c30ff0597df30b88fc3074462c8e9bc43
SHA256 fd6edae06b9ebd3ee4c13dd805b4371d870437cfa1a18d6f04e36d237b2ad5a1
SHA512 3114453e095e9c7e7c22b7a45b9af566ce13a063a3c3e3e31464c0cb655c0087872b633108a7f71373b6290e0497afdf6c3e25b3d827615b54ebfb47ff2bfbf7

Analysis: behavioral4

Detonation Overview

Submitted

2024-06-15 05:50

Reported

2024-06-15 05:50

Platform

android-x86-arm-20240611.1-en

Max time network

6s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A