Malware Analysis Report

2025-01-19 08:02

Sample ID 240616-qkpeysyekp
Target b3b67f794470bfe4a269ba32d39a45de_JaffaCakes118
SHA256 2bc497fabcc11f6e76061a71f2d54e841aab0f32f71fd937bd04566e2ba7c5a4
Tags
discovery impact evasion
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

2bc497fabcc11f6e76061a71f2d54e841aab0f32f71fd937bd04566e2ba7c5a4

Threat Level: Shows suspicious behavior

The file b3b67f794470bfe4a269ba32d39a45de_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery impact evasion

Loads dropped Dex/Jar

Requests dangerous framework permissions

Queries information about active data network

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-16 13:19

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-16 13:19

Reported

2024-06-16 13:22

Platform

android-x86-arm-20240611.1-en

Max time kernel

8s

Max time network

159s

Command Line

com.conferplat.aq

Signatures

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.conferplat.aq

com.conferplat.aq:remote

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 216.58.212.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp

Files

/storage/emulated/0/Android/data/com.conferplat.aq/cache/uil-images/journal.tmp

MD5 8c92de9ce46d41a22f3b20f77404cc1d
SHA1 8671a6dca00edb72be47363a7071be65cf270373
SHA256 68bb33ddeed9200be85a71f70b377985f9ee68e91578afbde8321463396f1274
SHA512 30f45fe9954215d6adafcc8f0a060a7ff41963a64f9b849a37f0d18fe045038d429ec13bf15226769c4ba78dad3c52f3d9e0dbbb4fcdea4828a1efe956e48f56

/data/data/com.conferplat.aq/databases/defaultjpushim.db-journal

MD5 e9d5469399ae20d22685d84f9f57e02d
SHA1 729eeb82d5f232b4cc2439c2b43e36ba56a661b5
SHA256 ae828987720bf4c7f0daf79de7db4951433e4f1439b6586cc0e268f3f172f343
SHA512 bc53bafd023e2dde456c7c78882830b2fea386bcb2d9a6e0cd706eba7a2c38ca049cd72db3558287845a34e914f284d5ae101c482e8178785af022d53d54d380

/data/data/com.conferplat.aq/databases/defaultjpushim.db

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.conferplat.aq/databases/defaultjpushim.db-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.conferplat.aq/databases/defaultjpushim.db-wal

MD5 bf4d1141ce0f39a59eb7a5ddd7ad9236
SHA1 d98a7da431e1f2cce5c319d79779bb911ef86197
SHA256 6758826af362de88df78ed362515cba1a793ec20cdaa61e51073d233d06fd5d2
SHA512 6cb2de34e3afe4a328845a72275dc2e305eb5390afe3010b941dab364c098a87294a646a5bf4cdb2ef08b0844f63be68a663fea70b9bdd75b3dc0bad14b9f4ee

/data/data/com.conferplat.aq/files/olS.zip

MD5 04beed8b2c96255605ad3cceb6ad1f46
SHA1 6f3201c4f72af194a4d8fac26937a224b3c3044b
SHA256 b2e9e900cb9b5760cae5d1d58bcc03527c987886a9fa02a998c912cc4aff6683
SHA512 6c8fc66139916575564374e687dd6ca2b181d845e5438e8ce47c77d9eeb43102c696cb1d20236c0e74a444c328018311d44fea255b703c011aff0b0ce85587dd

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-16 13:19

Reported

2024-06-16 13:22

Platform

android-33-x64-arm64-20240611.1-en

Max time kernel

10s

Max time network

133s

Command Line

com.conferplat.aq

Signatures

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.conferplat.aq/files/olS.zip N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.conferplat.aq

com.conferplat.aq:remote

Network

Country Destination Domain Proto
GB 172.217.169.68:443 udp
GB 172.217.169.68:443 tcp
BE 142.251.168.188:5228 tcp
GB 142.250.179.228:443 tcp
GB 216.58.204.74:443 tcp
N/A 224.0.0.251:5353 udp
GB 216.58.204.74:443 udp
US 1.1.1.1:53 11art.cn udp
US 1.1.1.1:53 www.mdownl.cn udp
GB 216.58.212.227:443 tcp
HK 156.232.205.103:80 www.mdownl.cn tcp
US 172.64.41.3:443 tcp
US 172.64.41.3:443 tcp
US 172.64.41.3:443 udp
GB 172.217.169.68:443 udp
GB 142.250.179.228:443 udp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 tcp
US 1.1.1.1:53 remoteprovisioning.googleapis.com udp

Files

/data/user/0/com.conferplat.aq/cache/uil-images/journal.tmp

MD5 8c92de9ce46d41a22f3b20f77404cc1d
SHA1 8671a6dca00edb72be47363a7071be65cf270373
SHA256 68bb33ddeed9200be85a71f70b377985f9ee68e91578afbde8321463396f1274
SHA512 30f45fe9954215d6adafcc8f0a060a7ff41963a64f9b849a37f0d18fe045038d429ec13bf15226769c4ba78dad3c52f3d9e0dbbb4fcdea4828a1efe956e48f56

/data/user/0/com.conferplat.aq/files/olS.zip

MD5 04beed8b2c96255605ad3cceb6ad1f46
SHA1 6f3201c4f72af194a4d8fac26937a224b3c3044b
SHA256 b2e9e900cb9b5760cae5d1d58bcc03527c987886a9fa02a998c912cc4aff6683
SHA512 6c8fc66139916575564374e687dd6ca2b181d845e5438e8ce47c77d9eeb43102c696cb1d20236c0e74a444c328018311d44fea255b703c011aff0b0ce85587dd

/data/user/0/com.conferplat.aq/files/olS.zip

MD5 fce57d160ffdcc9b7dfb08ccafc35a25
SHA1 ae9365343f5eea8f1a5bc6f797e87dd2dc6740a2
SHA256 b82e2d4dae9c27a95a263e4728004479a3e04f0bfa3507a3d4e402c67f2d6cdc
SHA512 a463314a3e28132b0bf43be4693df7b8d7359bc7b1d7d13d29aadb0a4d1069fb97ea18048b56a29a34bb2483bb92ae523032565388573d44946c9c483e165bc8

/data/user/0/com.conferplat.aq/databases/defaultjpushim.db-journal

MD5 5257bac6a0b6388eecbe0f8bd7b89779
SHA1 20e5a700e721f05e4caff28fecda90226d5a4676
SHA256 bad69bab46f86bd5ae1dd7175aedcdb1cf648b8383fff185dcb2dda020fa61e7
SHA512 2dc86dab3368ad52476bbff5945b882893e821850bebffc7531b5053f69b0d2b3e28a47f778ef2a13e61a5d4efb248fca21816e1c26fe75c5a4f37c0f230168d

/data/user/0/com.conferplat.aq/databases/defaultjpushim.db

MD5 f152c3162890d92ae57fc1ba9d8edc32
SHA1 d71430b4ff2ad16412d1f33a7d1be2d5eb1da724
SHA256 6312e99dd2c70e1ea5f7e1bd50ba9dce19f41169f9a19694c52a14d578e16161
SHA512 c52320ac7d3c1787a962a3a18b3f3528325717261d20896f339d03878de19c7877344c9d84b04c83b9f863f706f9f9e9bb512d6a31d0581bbc861172247f0a2f

/data/user/0/com.conferplat.aq/databases/defaultjpushim.db-journal

MD5 2861cfd7e65f44bbffaf8fe4fd21ced4
SHA1 ef7a71e817e200db6d6ff271ca0099c311a58094
SHA256 29373c2dbe116ab595961f4426267f43d9d4c3337f3a7819853f4304ce151204
SHA512 770d9eb463ea54c5c55fdd9b20c6fc5f6e52b16434e450eb0794c24a8bbb8b9f29bd0a4132bdc65b63f3b87dc896e242adcd47518dce1156d1b869c0d81deb0d

/data/user/0/com.conferplat.aq/databases/defaultjpushim.db-journal

MD5 40253cd36bc06e575dfe08d9f602d101
SHA1 1d0f1196338a9efebbe95a539ad400a77de8db85
SHA256 3877d26da9e3f4fdbfe8caabb5808b06c014f0b7dcf7a19ef424be14fdec5ef7
SHA512 e30bdaa508e48307e76a55e3449ebea648a8569ac936b3ab343a280fa310e9a2b84c673a79ef993a421a548158cdc26241d28baf23a0b42ecb79f23ffcffaa6d

/data/user/0/com.conferplat.aq/files/jpush_stat_cache.json

MD5 e91f7d0b7aef0339532264d243879b5f
SHA1 759dfcb02ddd4d96ff3d7874f7ce14cae4dab700
SHA256 a699fc9c5c416a9d3cb03cb1784050d1fe70b85c2588251fd0404f6fe1be6534
SHA512 6a6b2c2e1e13c7585810cab484608181a7bf33bd23b16981fc8295a5cf2452b8d290b1360b82c1ba57eb8561912518ebec99d8d44a6282c7d31b0817d5d3231b