Malware Analysis Report

2024-09-09 16:01

Sample ID 240615-hp5nqsvfrq
Target ad3aab10f0a6f07a1fdb2bc8f881d719_JaffaCakes118
SHA256 31ad8487c4a089a6891becc76fb688c9cf4152e97db466c3fa8fa192c78ef91d
Tags
collection credential_access discovery evasion impact persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

31ad8487c4a089a6891becc76fb688c9cf4152e97db466c3fa8fa192c78ef91d

Threat Level: Shows suspicious behavior

The file ad3aab10f0a6f07a1fdb2bc8f881d719_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

collection credential_access discovery evasion impact persistence

Obtains sensitive information copied to the device clipboard

Requests cell location

Requests dangerous framework permissions

Queries the mobile country code (MCC)

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks memory information

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-15 06:55

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-15 06:55

Reported

2024-06-15 06:58

Platform

android-x64-20240611.1-en

Max time kernel

155s

Max time network

183s

Command Line

com.borqs.uclient

Signatures

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Requests cell location

collection discovery evasion
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getCellLocation N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.borqs.uclient

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.200.8:443 ssl.google-analytics.com tcp
GB 172.217.16.234:443 tcp
US 1.1.1.1:53 b.mobeehome.com udp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp
GB 172.217.16.226:443 tcp
GB 142.250.178.14:443 tcp
GB 172.217.169.46:443 tcp
US 1.1.1.1:53 www.google.com udp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.178.4:443 tcp
GB 142.250.178.4:443 tcp
GB 142.250.187.196:443 www.google.com tcp

Files

/data/data/com.borqs.uclient/databases/uclient.db-journal

MD5 974e61d3186d61ef8ea8a045ea26d7cb
SHA1 535a83ec54344bb3e645ee66381e51760c89c0fa
SHA256 0549bd416d13142331eac4309395fd663b374cc9145a2a66588fc1372e12e0bd
SHA512 2f0699b79427f34b417fee60cdfcb153315ced7e872a11a2f2d65a29daa8ce8e0558fde7f92ca919e33838de9b7201292c00fd8f8b8b79f6fe60a7ac2085a8af

/data/data/com.borqs.uclient/databases/uclient.db

MD5 1b25e5739be1d4533fdcc70b5687a191
SHA1 1b17133deefea6659d24c17db8c08117216c4d30
SHA256 79161b12a83115b5b4803dc530cedb1fe50f62a6f06eaff2b90061ff28379fa7
SHA512 d588d9c1052b7a87bc48ec5039db47abd41988d75e0a67b099c294c59107ed42c561e2a1d40d76f7637f9bc37ba5ceb1d2cf070ac23ebfdfaf9ada21e8c9719e

/data/data/com.borqs.uclient/databases/uclient.db-journal

MD5 bb9c8e8401425c11a0e40459ef9cdfa6
SHA1 616906d1533b1aeac3b88f304810f72f3309371a
SHA256 a98a4be7bbc5b7d92495713a591b70691bdc49c244fde8f2ca7136e8d4f6c42d
SHA512 04cbced58347293af79592972c278399ea48250c25ff9cd5e21107b49859096ed9373a4072d282d25f5a40bea1baf1a8e68ce6c10fba52ffd53b6a2f4dad7261

/data/data/com.borqs.uclient/databases/uclient.db-journal

MD5 0c7915bb3afee4a637d828b88dde5831
SHA1 5df2d1ece84c7e3879efb0e91b10d8762fde313a
SHA256 0a1f5db8ced4ebf6278bf4067e3da31ecefa6ac9f7cd886e994902f44d2dc2df
SHA512 ef77f19f69bae2b2fe0abceb4345f7500fedab24d88aaaf118412a73da5e17a6eb790a93542790ef1981a9dfbfb7499daa5a0e01a83dbf7bc9247c255b4319b4

/data/data/com.borqs.uclient/databases/uclientconf.db-journal

MD5 25274f65781b1ac345df0fea7ac7fbb3
SHA1 a37f51dd2517221eac3d87fe3d67a97b9dd1a7c6
SHA256 3a44c8253d08aff5c88501a60b3156a0a21c748ebf4f65d762017e4303a77065
SHA512 8f87e19f99c14ae822e4640a322276a8d7cb28f2bedd3af1ae1be931c670ff638b17d13b81cec7c854edf0612385f16888b2249beccc2bf46c59019aa1b7b75d

/data/data/com.borqs.uclient/databases/uclientconf.db

MD5 07099d1a18ac873d76e71312f21f4ec1
SHA1 b1f045e88079a79dc46637d063658d0db78cbec8
SHA256 24545559aabaad78f801a51536cf4f4c11d7369e2e29e0612b4a6a68066132b7
SHA512 801217174f3e643e3aaee1711b4f243250ef080bfbb6b6ab64d6ed3fb12255687f5dc4fd5bb8578009ba5ec5da25ecc1e85c67856bf16c720e50e189ca11df06

/data/data/com.borqs.uclient/databases/uclientconf.db-journal

MD5 3252f818251510ae1e7579ddd138a916
SHA1 6225db0edf4ef0877c5842af82d3fa9e78ada563
SHA256 5a2858e7cd537e06a40e470f342312062a75734ee1053304f46c597a39259825
SHA512 85ca0bff5640f0e493bd20598b74a497549c9cb0aa22e3a39a145a9a1caf3ec6fa985352b709d90af386682b07ddb46d2a8e766f04b1e3c744604c592874c3b4

/data/data/com.borqs.uclient/databases/uclientconf.db-journal

MD5 9cec66e07c2674f2ebaa25ccbf0685e1
SHA1 33de199d4f8fd71474abd900b7ab2e4430bbcc7d
SHA256 57adf270d379484fca8cd9643d2c2cb3087849902297fe9aac28d238c0957b31
SHA512 872f1d2260f8c982cf216d058dd16903456692d5db079a1f3ec647b183eb7ea77836a1b259704ff07f8759e2973fadf3625d2c832fae3c56407ec0ed6b0ac819

/data/data/com.borqs.uclient/databases/uclientconf.db-journal

MD5 480b0a53ff4179d20a10282a7f97c69a
SHA1 9075838f919a8644b048bff75cc6e06827bf383f
SHA256 db1bc303116552a990ee658ff042afe70dfe62333d24086edb0cd809df22f314
SHA512 3e25f892fc4fcb055d40f3fd7a16064a6741fdba0b194e8e4a927c90846ed684bf752c828dad3f7ce10d3d1f2e0e5a567a3df22e2b3a7290193d9bc908ed0fcd

/data/data/com.borqs.uclient/databases/uclientconf.db-journal

MD5 52b77976e725baf5f49d9bfbc58bc0ae
SHA1 6e3b5a295e141e8a188357e8a8c24770d6a6fc96
SHA256 44dc6005d73d0bc85ce6d3a4a0eb4da7366c7e97fb75a29a550b2cb8d887c2de
SHA512 abc5319cd6dd6d3512d32df3db7979e8d0b5e6fac9aab32ef7cdbce18f89810a40cd680fce8980db94133c790922039f25697f2b576d6e2c830ff183d1f8cbd1

/data/data/com.borqs.uclient/databases/uclientconf.db-journal

MD5 11be4033da453e1388d505bd126684cf
SHA1 8ca4151511338ffceed2df07fc843351bba6bf49
SHA256 5823e5e5021407b4feeb1a08298de816b3509602066bc4659a330fc2f55474eb
SHA512 17698488350a27ab22f6181d7cf5d6358b5d6e6a350d5256732b82376f48de049b7b4f881b3a37b4bf362b964841cbb4f4a6c07e8d0405dbfbb60617c98bd0a6

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-15 06:55

Reported

2024-06-15 06:58

Platform

android-x64-arm64-20240611.1-en

Max time kernel

155s

Max time network

132s

Command Line

com.borqs.uclient

Signatures

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Requests cell location

collection discovery evasion
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getCellLocation N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.borqs.uclient

Network

Country Destination Domain Proto
GB 172.217.16.238:443 tcp
GB 172.217.16.238:443 tcp
N/A 224.0.0.251:5353 udp
GB 216.58.201.106:443 tcp
GB 216.58.201.106:443 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.201.104:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 b.mobeehome.com udp
GB 172.217.169.68:443 tcp
GB 172.217.169.68:443 tcp
US 1.1.1.1:53 www.google.com udp
GB 142.250.200.4:80 www.google.com tcp

Files

/data/user/0/com.borqs.uclient/databases/uclient.db-journal

MD5 3d1c511a68ddb0c87a07c6d3e1346a60
SHA1 f40d233551d61cb5a3b65e97503298a4ce06c58d
SHA256 4a8511f8628f2d4b783490795b0db44563d5d991ae1e3c82a179672d96fac200
SHA512 27bd50d72d13773c5fbf056a60eafc6cc9d515d00271109eadbe1ec24ae463a48eeafa72f9364e2e8d21581fe9f30b54c47e7c765a3edc437cf72cb6af9e88b8

/data/user/0/com.borqs.uclient/databases/uclient.db

MD5 56aa75c56c46ff62799671b224d905b9
SHA1 6ff0cdf22bb6b4d250a6c082b743fb066be5d0d5
SHA256 b10d1b66af3c3eca754ed962d30c21291936ff6c9d88005d736ffce2f0fcd6f3
SHA512 e2bb5271022535b3d85e87549e39a6f44c7b4a6b76be9fbd9d061920ae562ea3c50eed412242acc19df27a38572fea6588d2c347e3ec3e76a7aaad34d088d30f

/data/user/0/com.borqs.uclient/databases/uclient.db-journal

MD5 891ff5d2ab69c4e5fa3fbedfa21b29fb
SHA1 5c9fc24bcdef2bac3cc55e3b543932683bf01324
SHA256 d75ff0c29a83b114e0857335b2db8826cafe46d11c05d770a43924cba68fa865
SHA512 3618a4043a4729f9bee93126dff5cd2531e686c5313130757cf9208900fadbec0256de02b7c6ffa21443c7b4a9da1c6d0980cc4cea2c145fa4f7cc71ccc01c73

/data/user/0/com.borqs.uclient/databases/uclient.db-journal

MD5 c1146d7e59aad5291dfb18075c62faa2
SHA1 0d12e990d8a7a4545f323fed894d123690a3b28d
SHA256 d9d1ab6daa0a5540185cd98e11a48f8181eb10575a361a6e5c31932a44550577
SHA512 ca85e588d0e59668ee652a323a0f606aaa3538bfc6c353c7efbe3970f9d1d827db77b8259a7b9ecda9de89faa14761cafb079c817909568e4c80bbea0eff347a

/data/user/0/com.borqs.uclient/databases/uclientconf.db-journal

MD5 d2e7d14aeaf3a59fb54c6fdbc26a6577
SHA1 63a641acc76c01421af2d51b8accb8ae8621d407
SHA256 e104cfe0d9120e8485ee49387bc10b4e24518ecaf291e4ecb03aff0b86476bc4
SHA512 4f77e036b4870c9adab7b91ab097c8a89677134d34530c761db36095ebfaef113a84a3d687a809218d497906990af2d21e11fcbb7ec5500438faca7f5dece8e4

/data/user/0/com.borqs.uclient/databases/uclientconf.db

MD5 990417c562578f8811ebf7f933c9240f
SHA1 2ce1e22f4208bfafaa3c67a7b515b5165b510e79
SHA256 ef95d1cba0fbfb6319b4a28a4a9a0f884a4c63ad203d6e1a0856ea83806783fd
SHA512 2020c444dfc8478123835a44b41a5b98ba9d8de0ecbf52962a57bc52151bc37bed81d2a795259d06ce5f1c732e8bb832a89037f5addba8f7d7e3b250192d8159

/data/user/0/com.borqs.uclient/databases/uclientconf.db-journal

MD5 a9bae1acd14d22088ce9ae9cbcce8809
SHA1 771a847dbcc0c887f64f8f620a4df599105d501e
SHA256 2b83f1bcedcf982029d5a44ef9209f4194a676b22350ae084f19f4a0e3ab67fb
SHA512 368a58eb8bada74c55c3a7fb69ff1fc13d7ef120c45a16681cf11d772c75faefce5696fb410c459b693fa8dedb9ad39b82f53ceb4ad34e72c5f960fed4ceb9e3

/data/user/0/com.borqs.uclient/databases/uclientconf.db-journal

MD5 638c7e0b26b7ea48158e5492ae3c21ee
SHA1 afaf3fec0bedb01299506fb816c18f9df7fd755c
SHA256 c027710b08cf1f60afa273a83128f39acdb75127b6013b3003cf54a805f23d0a
SHA512 12ca220a43a63c2c48ba097aa560fde5c4e9ea18c7d57765592a85c391dab841beb9c192fc7c30f25ca6bcaf038d29dcd929c5922a2ba794d265b92696f9f20f

/data/user/0/com.borqs.uclient/databases/uclientconf.db-journal

MD5 b71c78e229c03f01cc890242246e5b9c
SHA1 e3fc53deccd1f8301f5b7bf2968c36c66554935f
SHA256 a1e30206f3bdb578b81e898855abaf39ee72deacdfd113ff0ff1a0dc02cb45b2
SHA512 0a6766250087ab0c9ef80c4378cf906b76c0e1378075cca6b4f3bf5a534ab45bf691ccb7620e6c7a3cfc2fb64a65e55949cb5d45fe70d4df0595f203fe5d26b3

/data/user/0/com.borqs.uclient/databases/uclientconf.db-journal

MD5 cc8251848bfb767164bca57057a68369
SHA1 186913db03379f85e45cf4c0d7ffa14fc630f7ed
SHA256 0f70496cb384e7af20d8f984b721d2c46fdd27e218fd38ce339fc71dd03d30b8
SHA512 bca702eb7e046a8375dcededadb94769b2e82c77e89ad44b6b2c119ebe70f8a48dc93e7f35654a68fbe888df6cf993b32c7ce5a1ffa860cbb9bfd57dd7d081f7

/data/user/0/com.borqs.uclient/databases/uclientconf.db-journal

MD5 a152c86252369db88b944d02c7bef709
SHA1 b5348c2a77a3bf3d7c9b382259d2cbccccd41f3c
SHA256 50f023081c84ad3ff797756351b003f235bb67090296ed09424c618f0ae4c31d
SHA512 791743c154de63324f5e89af33cf361c61d1d9d584cc8f5893ec722d50ac8b349a0a6368af91e69c3d51610a7a3c1461414f5af287258f39dd1daf16e6bc0bb1

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-15 06:55

Reported

2024-06-15 06:58

Platform

android-x86-arm-20240611.1-en

Max time kernel

156s

Max time network

141s

Command Line

com.borqs.uclient

Signatures

Requests cell location

collection discovery evasion
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getCellLocation N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.borqs.uclient

Network

Country Destination Domain Proto
GB 142.250.180.14:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 b.mobeehome.com udp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp
US 1.1.1.1:53 www.google.com udp
GB 172.217.169.36:80 www.google.com tcp

Files

/data/data/com.borqs.uclient/databases/uclientconf.db-journal

MD5 394eb048a07ffd0504871f2ec68b7b8d
SHA1 dc8dc3b0810bb4c0c2e17fc5458fc31cae37b5db
SHA256 2dceb4fff36fbc80a6c31250fa0951a23fbe18e128ece05f1dd03251a8503497
SHA512 2b2405848f66bb41b61fb7372f51e38d50dac2c51dfc75815d2ded1598aaf117f9d3606d55168df9501efb18c44ca1db478431008226bf16f57b2fe3c81dbc08

/data/data/com.borqs.uclient/databases/uclientconf.db

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.borqs.uclient/databases/uclientconf.db-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.borqs.uclient/databases/uclientconf.db-wal

MD5 f3bcd0cfa8d3713b5a4782f3414766fa
SHA1 fbfbc0a372dd955d714d5acb395e68e0de2cc91e
SHA256 e9d9228cfac2820ec4bb262acf22bba6bc1e0d7ff32c2f7e60f98c67ba8ac1b6
SHA512 d516f98b9b428b772aad06f7f9bb481ebcc599ad5ffa1b025262403563b7357262a8876e1969170792fec0ae502098738b15d9cbd6ab8180f592b937531585d0

/data/data/com.borqs.uclient/databases/uclient.db-journal

MD5 453fb7fc4dca02cd77d49d974727a913
SHA1 59aaa05942fffaaad378cebf9c98077cab142aa9
SHA256 2241b42ceabf0cdc584b2cccdfb1c51ee9abe28350d7cd20ace9361c272d605a
SHA512 facdde033b97c20bd60441bc13f4851f9d2102e9c50d8d4cc97198a3617eef8b6b68d13019c10dda3adcf1eb706248542371aef757affaa2762f4f86385454fa

/data/data/com.borqs.uclient/databases/uclient.db-wal

MD5 09bac9abc4c73691895ad5f1f6ccfaec
SHA1 414c4752183d417d3216c4db5a4aee8978cfcdaf
SHA256 f5f00956ccfb3587d32f7649b9cc0573b7105fd204e913878a03faba2794f248
SHA512 6cd5d0ac6b233cc775206bfdd6b0f27ae91e7ee14b32bd76935966a4da1316f9e4744fbf27c6365313dc725cc3f98b66002ca095a7bd6b8d03dff06fdc826ab9