Malware Analysis Report

2024-09-09 13:32

Sample ID 240615-xtwzqasana
Target afecf973b5cc3d22cb18dae57cc3917d_JaffaCakes118
SHA256 9579d69ede30626ee7615739d19bf1aee654ffcdaad5d4b4ba8cec42eef2a3e0
Tags
discovery evasion execution persistence stealth trojan collection credential_access impact
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

9579d69ede30626ee7615739d19bf1aee654ffcdaad5d4b4ba8cec42eef2a3e0

Threat Level: Likely malicious

The file afecf973b5cc3d22cb18dae57cc3917d_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

discovery evasion execution persistence stealth trojan collection credential_access impact

Removes its main activity from the application launcher

Obtains sensitive information copied to the device clipboard

Queries the mobile country code (MCC)

Registers a broadcast receiver at runtime (usually for listening for system events)

Schedules tasks to execute at a specified time

Checks CPU information

Checks memory information

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-15 19:09

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-15 19:09

Reported

2024-06-15 19:12

Platform

android-x86-arm-20240611.1-en

Max time kernel

26s

Max time network

131s

Command Line

com.puzzlegame.puzzledom.hack

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.puzzlegame.puzzledom.hack

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 freegeoip.net udp
US 104.21.81.232:443 freegeoip.net tcp
US 104.21.81.232:80 freegeoip.net tcp
US 1.1.1.1:53 lp.androidapk.world udp
GB 216.58.212.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp

Files

/data/data/com.puzzlegame.puzzledom.hack/databases/evernote_jobs.db-journal

MD5 28b1aea91869f1e0ee19509099c263d7
SHA1 03b0ba0ffb42743dfe5757476b389ef0d4d59b66
SHA256 eb64099cc3c5af4ad6ebf8817873156589f50c3ca3b1841fbd1882290682d358
SHA512 bbac516d7dff7201be60b6e395f0701ec85c2a4b2a22a162c81e224f02e177f0cb1f5e8edcd937a9c8d4c5e486b3088be8dcc7f43bcc7b2e01ad250e671c95d9

/data/data/com.puzzlegame.puzzledom.hack/databases/evernote_jobs.db

MD5 5d85664f8e614fcaef42be2e6f649027
SHA1 09c6288922102f6114a823f4992415fd3373d61e
SHA256 55f8907e91226ef43a05583c7b4623b4e26994b62d20c8603975ccc1fa3b9409
SHA512 3d6006a3e82d00fe9bc443e940acc5df12ec84114fcbcf8fbc8099c085cb1229b21a217b7445129b50558bfef5100894686d7359eb80b7ef087b65c7be3bc6e9

/data/data/com.puzzlegame.puzzledom.hack/databases/evernote_jobs.db-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.puzzlegame.puzzledom.hack/databases/evernote_jobs.db-wal

MD5 e118d87d5aebae2406c939ebf1cf880e
SHA1 4a945858387260c1a50ba0e0ae3ae73c124e0602
SHA256 3ee63561ff363c64d95e44044d164548ae819bbf5e53efb68d98906a8cbc2ec3
SHA512 28325bc7d0149398d6a4ae1a5da86c262d2f2804ce9edb6de246d1483b9f339fc983cac9bdc86e6efc360e73eb026c9f3cca03e5ff55534ee884089616f96a99

/data/data/com.puzzlegame.puzzledom.hack/databases/evernote_jobs.db-wal

MD5 a0aee3c281d45749a45110a11bb01669
SHA1 f80699dc2890f6e5c3528457e98e6e248454f800
SHA256 8c9e063948a131e8f71e7c4456387af6bb8e67c4bcce5662ca2a591a0ee3ad9f
SHA512 c5b5fae617bf62aa78e824f4f1232ed398928fbd0ff64457a74ae5fa9ad15f2652266e0289faf2656672dd0f687c305f46231778ad242d48d98ef8f75f27cffa

/data/data/com.puzzlegame.puzzledom.hack/databases/evernote_jobs.db

MD5 24661e00e51c30188995cf21ce0ed658
SHA1 7295da62d82a15e9d1453b5ac8d1e0b82bfb489f
SHA256 f38b0fa6b80733960a2c1a92fd081fb2f77c54115d4d00f75e7c7fb2acea6ab2
SHA512 1f3ae1c8caa08f012f5b953e68820ac9ab171b379399b9728d664e9c39766907ad17bda706554b6d59f20337da7fc398fd0c43ddeb6ff1545e2efff82fb23e85

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-15 19:09

Reported

2024-06-15 19:12

Platform

android-x64-20240611.1-en

Max time kernel

51s

Max time network

152s

Command Line

com.puzzlegame.puzzledom.hack

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.puzzlegame.puzzledom.hack

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.178.8:443 ssl.google-analytics.com tcp
GB 142.250.178.10:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
US 1.1.1.1:53 freegeoip.net udp
US 172.67.165.196:443 freegeoip.net tcp
GB 216.58.213.14:443 tcp
US 1.1.1.1:53 lp.androidapk.world udp
US 172.67.165.196:80 freegeoip.net tcp
GB 142.250.178.14:443 tcp
GB 216.58.201.98:443 tcp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 tcp

Files

/data/data/com.puzzlegame.puzzledom.hack/databases/evernote_jobs.db-journal

MD5 70dd35b96294512e1ad8386f61623f53
SHA1 972df5f6cd73bd555f5ea3becdf735da3630c1e2
SHA256 167c8c676f44c793f49057d1598e5bb42b4078c3e019180ac323c99dcc639ee1
SHA512 b41b55d4f97491526600b1ec249d167b3b5ac59f14a571258eb82efb9efe870f4dfb1b0e4246f7b6d0210ed7543707e87eaa127dba54ba7082576b8a3f267eb7

/data/data/com.puzzlegame.puzzledom.hack/databases/evernote_jobs.db

MD5 12627a2ec645c4a4bc50dba5903afd59
SHA1 504005c938517e61bcf68b65a055c2faba635c2e
SHA256 f177ffae9650eb4f407c2d9a510bb5a5abe1ece2fdfe24effc62478a1bfa5903
SHA512 7ff69589296e02383a217373399e75d8a82fa17146e4273f4c0eb630f096dd9f394a3324d60858b02f7e5cf177c82c6d966f5cbedb68ae6a98df7cc851b79cfd

/data/data/com.puzzlegame.puzzledom.hack/databases/evernote_jobs.db-journal

MD5 261b78422cb3965942479cf6ef560bae
SHA1 ca852592f5fac0d9a63498c6ab23490a3d115fc8
SHA256 b75cbac29107d22235c582a76b8bdbc05b32ec09de76b737a5327f32b6e2fc9a
SHA512 56a4f0c9c5718298ca11f5648adfc87acf9624ee62968f95a8e25f9ae2d4422f979eac1bd783f3cb45a065dbaff637951017a50456e081a1a924076847880dc8

/data/data/com.puzzlegame.puzzledom.hack/databases/evernote_jobs.db-journal

MD5 2ee2495793da1d5183d3bcee819abd07
SHA1 95fad09225f000024942dbdbe7290dafb7d99fcd
SHA256 10794a6facbb41f7a89622a350309f21e3bb76a2f5bf411309e9b59be063888f
SHA512 90648f0bd33553f20160017ea5798a6ccfae68058f6b36022b17991ff8065d7c814c6ed0b065454c9e790933765d9cd80917bbdf56e02553cc4fd8d878c3c2f2

/data/data/com.puzzlegame.puzzledom.hack/databases/evernote_jobs.db-journal

MD5 655b8e13a7bc5ff8bd722b13748a69cd
SHA1 b11c546a2a75c35a8c01833da9e37ee25ed8f6b9
SHA256 f48131ff356200e98c4f395ecac0d31e680e05a67a7e588370394bb87f7b0fc6
SHA512 ec10ccd8c34f59a78a9c32570a3be1bf2882f5af22adde46fc9505da3fce4a0ca8e3d89ba15f7e3b0c0c87f84899388c097d076126c7d6715bdc6e2c62739a6d

/data/data/com.puzzlegame.puzzledom.hack/databases/evernote_jobs.db

MD5 af6e40df2d4821ae6b78c5356006e01f
SHA1 217667f50ba96496112bc4197fafb58bab52ba23
SHA256 39bbcbcd7448564a949f80304d3d6a7fa9a6c18f3bd19a63d612a88631d29d38
SHA512 43949fea9953fb5a6aa0dedd3bd24440c263a9ccb4f760bc892c3bc85ba82cf4705a2d13fd77e8166c9efd8306384f52c45065160eda9ed42dbb2a9a4820a65a

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-15 19:09

Reported

2024-06-15 19:12

Platform

android-x64-arm64-20240611.1-en

Max time kernel

99s

Max time network

132s

Command Line

com.puzzlegame.puzzledom.hack

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.puzzlegame.puzzledom.hack

Network

Country Destination Domain Proto
GB 172.217.16.238:443 tcp
GB 172.217.16.238:443 tcp
N/A 224.0.0.251:5353 udp
GB 216.58.201.106:443 tcp
GB 216.58.201.106:443 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.201.104:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 freegeoip.net udp
US 104.21.81.232:443 freegeoip.net tcp
US 104.21.81.232:80 freegeoip.net tcp
US 1.1.1.1:53 lp.androidapk.world udp
GB 172.217.169.68:443 tcp
GB 172.217.169.68:443 tcp

Files

/data/user/0/com.puzzlegame.puzzledom.hack/databases/evernote_jobs.db-journal

MD5 3d62821dfd1d87e61a730e42b70fc6fc
SHA1 a926cbdb30058169c084915b5f534dd1e8233cfe
SHA256 156cdc4e663d3854154e2670992bfad2a75781988dd0707a82d64af39415e654
SHA512 3c74289a18a93e1a7b03adf43f70637aaaea61e90771666054327c0ff9c8a3f1c961a5cb80569a5ba45c34178acddf3728a9fc76978bbef1a2abe712360e6eda

/data/user/0/com.puzzlegame.puzzledom.hack/databases/evernote_jobs.db

MD5 58c0b6e45328752b20ac6e719ac034f8
SHA1 372b2638afd00bbbc4034657b3df3d2e428fb367
SHA256 9d74f93afa5a179b1ba2f19f154b2880aa8b99c88209802099045a0874d2426a
SHA512 2d347d5824b9ab701e341c89e8327a95fd6bab8e92ee15ce9550da368d773e22bff304072a4854df5ab763750a7401f7aa61a49e3292d62c27fa9f20536eb3ab

/data/user/0/com.puzzlegame.puzzledom.hack/databases/evernote_jobs.db-journal

MD5 4ae8a08da72d3a65908684a3ca14a188
SHA1 4beba1107281a4bfe10808ecadf39fbc17ebfa04
SHA256 2041cdacf2379ce257fd193496dc7457b9f4dceabb1240ff78ca1b491ecc683e
SHA512 17f16f6a52a34a61574f43f5e45dc49aeb3c5b3c3f3f76bb2d4c07c5e4413d1b1f40dc31226813ecdf6550c30dfdf89adb329acbfabc99b1c985da0535ae897d

/data/user/0/com.puzzlegame.puzzledom.hack/databases/evernote_jobs.db-journal

MD5 086709e23fbc1c4f7e02766a3eb3090d
SHA1 60f13e34d25cf53ed77e7a3cc51facc2f5910da5
SHA256 1aa8f38f423bcd482fe370d4bde745bf8180317c3b567bcc3d6967030860e2a0
SHA512 40a5d755b862bd46cacd2d30bc14ba5f3abc4192070508151058870ac44f78a9499ce04b0103ca634e140b4eb3d9c94b322a745c06a3a4cf636d2c10667c8279

/data/user/0/com.puzzlegame.puzzledom.hack/databases/evernote_jobs.db-journal

MD5 e8a577021eb17dbcfc86412e375372f2
SHA1 81a9b25575f37da50cacd6075a268d9e67d01488
SHA256 85434efae6c15f3f9c13048be216ea947f2dd7e8879fe97e77d9104acc80aca1
SHA512 4974c9f4b67dd63373ceaebc97e89e425db380d0d9c20f77c3c995e06a1dad463f463d0918b8c926628eb54f5fa2ba81cedd75e51ea9696a7e3db8321a66c9a9

/data/user/0/com.puzzlegame.puzzledom.hack/databases/evernote_jobs.db

MD5 0c332993e2254573a13735c1faf1972a
SHA1 b3b1544ead5a363c16ac7bfdb6c1a3f87e61fe1d
SHA256 909f0efe9e945909b6fbcbb7003321c60489076d1389f671e3e4d29a22aed2f1
SHA512 7b0dd44d3a1bc425a148acea83de48081d7ad6e501fd0cd45a074b228d1cb1683351307a56e81a0fa33fa8f3230b4e991c3bc5550ea49fbe073d6fe9c4bb6d52