Malware Analysis Report

2024-09-09 13:33

Sample ID 240616-b4le3sxhrk
Target b1271030869cf7389c70be547ff48432_JaffaCakes118
SHA256 8a51b2cd48efbca5c7e8f65f11d6f84bfa34f4e8eea36c22c3f4d74241dc4f35
Tags
banker discovery evasion impact persistence stealth trojan collection credential_access
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

8a51b2cd48efbca5c7e8f65f11d6f84bfa34f4e8eea36c22c3f4d74241dc4f35

Threat Level: Likely malicious

The file b1271030869cf7389c70be547ff48432_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

banker discovery evasion impact persistence stealth trojan collection credential_access

Removes its main activity from the application launcher

Loads dropped Dex/Jar

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Checks Android system properties for emulator presence.

Obtains sensitive information copied to the device clipboard

Declares broadcast receivers with permission to handle system events

Requests dangerous framework permissions

Queries the unique device ID (IMEI, MEID, IMSI)

Queries the mobile country code (MCC)

Registers a broadcast receiver at runtime (usually for listening for system events)

Uses Crypto APIs (Might try to encrypt user data)

Checks memory information

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-16 01:41

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-16 01:41

Reported

2024-06-16 01:45

Platform

android-x86-arm-20240611.1-en

Max time kernel

179s

Max time network

131s

Command Line

com.bjin.gamemaster_main

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Checks Android system properties for emulator presence.

evasion
Description Indicator Process Target
Accessed system property key: ro.product.model N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.bjin.gamemaster_main/app_ttmp/t.jar N/A N/A
N/A /data/user/0/com.bjin.gamemaster_main/app_ttmp/t.jar N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.bjin.gamemaster_main

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.bjin.gamemaster_main/app_ttmp/t.jar --output-vdex-fd=49 --oat-fd=50 --oat-location=/data/user/0/com.bjin.gamemaster_main/app_ttmp/oat/x86/t.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.187.202:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 api.ymkeyxeghj.rocks udp
US 1.1.1.1:53 a.asense.in udp
US 208.100.26.245:80 a.asense.in tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.178.14:443 android.apis.google.com tcp
US 1.1.1.1:53 api.zuisimpleweather.com udp
US 13.248.169.48:80 api.zuisimpleweather.com tcp

Files

/data/data/com.bjin.gamemaster_main/app_ttmp/t.jar

MD5 9aaea567e0c93e51718ba7eade0e83df
SHA1 0005116aad1779361b70093db00fed5ac090ae23
SHA256 b30a95dff6f65f444472971c8aaf895ffc8e66e0117ce242ec4cb8a8a519a5ec
SHA512 2aef1034335d8752f4e25ce6c5823ce03019536cc6e51ee61b5291c77a0f356a2517e0cbe7f2c4cc2d897115dc856449a342cfdc247c9d34d313187d15b2f890

/data/user/0/com.bjin.gamemaster_main/app_ttmp/t.jar

MD5 f72c3d07507c3e26d317e9117ba757d1
SHA1 cdede4739e9dd9fd95243aab5e44c24f93f825c3
SHA256 1c65834d9ca018c6496a8b9957589d0e94657911b6635dc21a448d78f9238887
SHA512 3420714252e7503abc13c99274d767b0bc08671d769460dc61823ab9470e145fb75c5dfaadc617d3a05cf251ed5ecf38ea7e8c1d7b343bca4d7e8296f1b805d4

/data/user/0/com.bjin.gamemaster_main/app_ttmp/t.jar

MD5 5f187161b6cbaeb08a57c166bc1c8954
SHA1 71897ad46bf5ce055e0891775fbf3949d1e03e10
SHA256 f093e6aed6e100f7c164174270f384493e63a449c02f5df02f88aadfdf0ebaed
SHA512 71c2854911e5a145ac6cc2f63f35f00339c7f63456aaddb4c7a4c7d314eabea729cd5c11393ed415fdd3f25c88ba55a327912d406900245a8ddd35ae59dfd3f4

/data/data/com.bjin.gamemaster_main/databases/com.bjin.gamemaster_mainb-journal

MD5 eb728c99383335f62295b41f3f40b7a8
SHA1 49031b6437b6969c13ff1edf91a8f3cb10b19c00
SHA256 cb62dd65ab67c8061a15c2f8bb0cbbb51debf91851792bdcb6b8f6ca21fe3be5
SHA512 295e83975908e3b04212aabccf56af78ede83207d142c26ab3e05b85bf952df14206265ac3e28790655cc3c50403bbfc0af1015fbd66d5c06efdd725c15c9a00

/data/data/com.bjin.gamemaster_main/databases/com.bjin.gamemaster_mainb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.bjin.gamemaster_main/databases/com.bjin.gamemaster_mainb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.bjin.gamemaster_main/databases/com.bjin.gamemaster_mainb-wal

MD5 2cf0b603c3d0e67881932b371e8ecac1
SHA1 0638048719d4e24db06458cdb8463775363cdeb2
SHA256 fd21fe903d5f1944726c1aaa2f6ccf587804dd55afb5ef4fbdcf484beeb64c59
SHA512 2d5e09429a92be41459adce42956e6509cc6224f57b976bc2e48d05271f3abbb233e1ed72e611b2c1260f293d0ff40c482f6c6b677eb105db362e24b51729402

/data/data/com.bjin.gamemaster_main/app_ttmp/oat/t.jar.cur.prof

MD5 640eff78b9374507bfb5742aace8ef4e
SHA1 f81ce897275b1c9d192a0fe9231f0bec6ac7919a
SHA256 0caef8cc14a2c1207516518e270f818d14985103c7652d788fb20a746347d168
SHA512 889bf6ecf0302296a6cc70893b1ea3cec3c8414eabf000c33c9f0f5023e55e2d258c07e40ed07a9d0dcefa8f210186e593bbcf7cf3f5b8c971e7f867a2b4f219

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-16 01:41

Reported

2024-06-16 01:45

Platform

android-x64-20240611.1-en

Max time kernel

179s

Max time network

167s

Command Line

com.bjin.gamemaster_main

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.bjin.gamemaster_main/app_ttmp/t.jar N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.bjin.gamemaster_main

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.200.40:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 api.ymkeyxeghj.rocks udp
US 1.1.1.1:53 a.asense.in udp
US 208.100.26.245:80 a.asense.in tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp
US 1.1.1.1:53 api.zuisimpleweather.com udp
US 76.223.54.146:80 api.zuisimpleweather.com tcp
GB 172.217.169.68:443 tcp
GB 172.217.169.68:443 tcp
GB 142.250.200.46:443 android.apis.google.com tcp
GB 216.58.212.238:443 tcp
GB 142.250.200.2:443 tcp

Files

/data/data/com.bjin.gamemaster_main/app_ttmp/t.jar

MD5 9aaea567e0c93e51718ba7eade0e83df
SHA1 0005116aad1779361b70093db00fed5ac090ae23
SHA256 b30a95dff6f65f444472971c8aaf895ffc8e66e0117ce242ec4cb8a8a519a5ec
SHA512 2aef1034335d8752f4e25ce6c5823ce03019536cc6e51ee61b5291c77a0f356a2517e0cbe7f2c4cc2d897115dc856449a342cfdc247c9d34d313187d15b2f890

/data/user/0/com.bjin.gamemaster_main/app_ttmp/t.jar

MD5 f72c3d07507c3e26d317e9117ba757d1
SHA1 cdede4739e9dd9fd95243aab5e44c24f93f825c3
SHA256 1c65834d9ca018c6496a8b9957589d0e94657911b6635dc21a448d78f9238887
SHA512 3420714252e7503abc13c99274d767b0bc08671d769460dc61823ab9470e145fb75c5dfaadc617d3a05cf251ed5ecf38ea7e8c1d7b343bca4d7e8296f1b805d4

/data/data/com.bjin.gamemaster_main/databases/com.bjin.gamemaster_mainb-journal

MD5 3a3027998ba0af654b6ce37dcaea8213
SHA1 785860197d0c653ace68d2518a154f57c293375b
SHA256 27ad6c6620d3ac5502b3893d2f07c647f64e7f7c63f4f1af73f98e3d607aea75
SHA512 c4852c76f7715054c6fdbdc7e9ff621cd902b9da8848f0b85d05da7399bfaafd5882384f0eaa58560f35e8aa8d3ea5214f277453e4d93e2244407fbb1ddbda84

/data/data/com.bjin.gamemaster_main/databases/com.bjin.gamemaster_mainb

MD5 812f2d4481bf3181b4b873a992d641ac
SHA1 78d2afed0a1661cd502b9de2658f5ec5797fb6c5
SHA256 4f43e5dbb9bdc4e0ae202dcee6c5b3501b23d68fa0e48188f8e5f1686baf60c6
SHA512 8365d8210cb000e7db40980359bdc71c222253c78bcde6f7beecad893c35c58bc36ba21b8e6d55f70766372e6131dfeefcea12934f8fab9113f3ce8ebc26de4c

/data/data/com.bjin.gamemaster_main/databases/com.bjin.gamemaster_mainb-journal

MD5 177e2e6c4dd235a5d430534c320b1036
SHA1 0d55997ce79d72791f58f61e68c61fb353ad705b
SHA256 fa9cc10140add5240ed94541d702625114e543c36f8e39de250ec32ee12ed3d5
SHA512 bed7c9a0b83935c3785c9c374a9922f161c2c584c57afe081149bc6b3c5e7027e08dadadc1f2e16fbb28b1228bba5a6590e794f5a14e2b91bdc01f65c615a647

/data/data/com.bjin.gamemaster_main/databases/com.bjin.gamemaster_mainb-journal

MD5 0a0cbea775c827668236fbb8b3146727
SHA1 0ee26bb5c59a91ff11ca1b267d3fed7af96d5a1a
SHA256 03f8e0f2bdefcfbfb663cfccd0da962d497a25ae6d7e341a054c3bc28130766b
SHA512 b4af787c55d36004984e797fcada494b200d7cc57646c8fa4c7c8f9ba6b17dc3a61a36bf926348a281158524e5180572841d4072d3bb1854662aa478cc814e09

/data/data/com.bjin.gamemaster_main/databases/com.bjin.gamemaster_mainb-journal

MD5 d7222a2c15f7422f155ae3e2e634f946
SHA1 cde085b009f1da7ca275a3559b7c5de8cf266e6a
SHA256 3e9b0775fbf6fb77a48d224bccdfa6cfc05c77f487b5e2538a9f5a34db562088
SHA512 ec81d4476ea3d9c4d0e439694f136fed2c107a23448eb5a1f970bc1ce074fdd7e18da7c3c793550f9fe2508a8904538a052a8c33c99bdf8fdb0833e30fccca45

/data/data/com.bjin.gamemaster_main/app_ttmp/oat/t.jar.cur.prof

MD5 8b1177e932ca9cb40fc64d8ec08c05e0
SHA1 f5bd11a973abe4806c39c8d6a75a6b65eea8d0c7
SHA256 a5ccab736c3b801dda62f8c4617e83d577e39d98207538144b401cb5ba968ce4
SHA512 f2c5bb7189cafa8ad52263bf2c3393a91eb5e6e953a4c9e79cfb122cdd4eb2800a5b5079dde6f4fda8fe660e7ba9b687ed92dfefe3daebf2a3da081a41caddc6

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-16 01:41

Reported

2024-06-16 01:45

Platform

android-x64-arm64-20240611.1-en

Max time kernel

179s

Max time network

132s

Command Line

com.bjin.gamemaster_main

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.bjin.gamemaster_main/app_ttmp/t.jar N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.bjin.gamemaster_main

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.200.10:443 tcp
GB 142.250.200.10:443 tcp
US 1.1.1.1:53 api.ymkeyxeghj.rocks udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.200.8:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 a.asense.in udp
US 208.100.26.245:80 a.asense.in tcp
US 1.1.1.1:53 api.zuisimpleweather.com udp
US 13.248.169.48:80 api.zuisimpleweather.com tcp
GB 142.250.187.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 tcp

Files

/data/user/0/com.bjin.gamemaster_main/app_ttmp/t.jar

MD5 9aaea567e0c93e51718ba7eade0e83df
SHA1 0005116aad1779361b70093db00fed5ac090ae23
SHA256 b30a95dff6f65f444472971c8aaf895ffc8e66e0117ce242ec4cb8a8a519a5ec
SHA512 2aef1034335d8752f4e25ce6c5823ce03019536cc6e51ee61b5291c77a0f356a2517e0cbe7f2c4cc2d897115dc856449a342cfdc247c9d34d313187d15b2f890

/data/user/0/com.bjin.gamemaster_main/app_ttmp/t.jar

MD5 f72c3d07507c3e26d317e9117ba757d1
SHA1 cdede4739e9dd9fd95243aab5e44c24f93f825c3
SHA256 1c65834d9ca018c6496a8b9957589d0e94657911b6635dc21a448d78f9238887
SHA512 3420714252e7503abc13c99274d767b0bc08671d769460dc61823ab9470e145fb75c5dfaadc617d3a05cf251ed5ecf38ea7e8c1d7b343bca4d7e8296f1b805d4

/data/user/0/com.bjin.gamemaster_main/databases/com.bjin.gamemaster_mainb-journal

MD5 0b38c3dd2302fe9cf4115373494adf47
SHA1 30f787a1572c2f2fa94f681c89362bcdbf89a2a7
SHA256 a640987e44dde66bda7b4a127494de8c70342de61e885dcbb5ada3c673270080
SHA512 d524aeb66fa26124b4962510866f6b70656d04b4aa70e49653f73b40d128879fa45436ec94f292084a80038b9561965a1b6fadd9ee37fb5122a2e717eea65a4d

/data/user/0/com.bjin.gamemaster_main/databases/com.bjin.gamemaster_mainb

MD5 ab6f2ba2f7a6102969052f59ff07650d
SHA1 891c3fdf9f8db185ff71a121b15b4b2d82f50ba7
SHA256 63b0695fa76acbbac9a0f7f2d9cd2fb901230500fc385febeb9902c2402d7aa5
SHA512 3758d4a3038438208c42510ae06c2d3446805f8ea9ae58693078298b7b148c8abe396ab664c09847d8509e7fb2178a14ad60ff02b78827b0d52f7fe9da43079a

/data/user/0/com.bjin.gamemaster_main/databases/com.bjin.gamemaster_mainb-journal

MD5 285c8aaad3927434d3f0f578851c37f0
SHA1 53cf49e1a046d7a8c10137d3503ba62aecc67d8b
SHA256 5846762241974d3f29dec2e736170c127e9df15312c4cbf477ba4445735d6688
SHA512 c67231b4b4621029d3ed7b36d2e4e40b345c876a726d9c6117f98058fd3e2ce63759f3645c7cd1ee371c9fd5f12ad4aef0fcef1bfdcf81988bb8c21f9117e5bd

/data/user/0/com.bjin.gamemaster_main/databases/com.bjin.gamemaster_mainb-journal

MD5 034b7b80d549d114a1b7305e2d4f10b9
SHA1 d5c0ee4b3744e248e8a39da746675f19bdccf0f2
SHA256 0b8b0c2544cefe493536b23b494a6354a539cd2f1205c2a6054dd4d82d3d4f6b
SHA512 2c2257abff69072d2a61ce83cbdd563212c077e660d4995d0536d2e882b0ba7c285cf6d222acee7efc8a3d6b5e9d0852e9c258be37f2a65e8c2275586b9302b2

/data/user/0/com.bjin.gamemaster_main/databases/com.bjin.gamemaster_mainb-journal

MD5 ba5dec9260c1d3f20084581f4e8aaa63
SHA1 b23d4c54d8306173bee909884ab23f7448fcb3ac
SHA256 75b7905d5d707fd99d0978840773de7d1440761bff31032f82404771b9f358e9
SHA512 c5f13a2906562e67e7f38ba3c971c47dd7bfce4de0c57ae887478a36a9efbfc3baccb03dbf5471914cf272b9e260dd205f7fb7d7ff57a5cbee262644d10a79d5