Malware Analysis Report

2025-01-19 07:59

Sample ID 240616-sbfgss1hjr
Target b419c13564827ed8a818e6b786578f61_JaffaCakes118
SHA256 5d4fc5f494c3a71d7e8871614ee3b814299e82cf0af182dc7896d07ef03a566f
Tags
discovery evasion impact persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

5d4fc5f494c3a71d7e8871614ee3b814299e82cf0af182dc7896d07ef03a566f

Threat Level: Shows suspicious behavior

The file b419c13564827ed8a818e6b786578f61_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery evasion impact persistence

Loads dropped Dex/Jar

Queries information about the current Wi-Fi connection

Requests dangerous framework permissions

Queries information about active data network

Registers a broadcast receiver at runtime (usually for listening for system events)

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-16 14:56

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-16 14:56

Reported

2024-06-16 15:00

Platform

android-x86-arm-20240611.1-en

Max time kernel

4s

Max time network

163s

Command Line

com.cognitievedroid.ikvg

Signatures

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.cognitievedroid.ikvg/app_AdServer/AdServer_asset.apk N/A N/A
N/A /data/user/0/com.cognitievedroid.ikvg/app_analytics/analytics_asset.apk N/A N/A
N/A /data/user/0/com.cognitievedroid.ikvg/app_analytics/analytics_asset.apk N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.cognitievedroid.ikvg

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.cognitievedroid.ikvg/app_analytics/analytics_asset.apk --output-vdex-fd=65 --oat-fd=63 --oat-location=/data/user/0/com.cognitievedroid.ikvg/app_analytics/oat/x86/analytics_asset.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ask.starreq.cn udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 216.58.201.110:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
GB 216.58.212.202:443 semanticlocation-pa.googleapis.com tcp
GB 216.58.212.202:443 semanticlocation-pa.googleapis.com tcp

Files

/data/data/com.cognitievedroid.ikvg/app_AdServer/AdServer_asset.apk

MD5 73c2ac27961b9db4274ca13a178c0fa2
SHA1 3d1b1a8f6c9bc63fc88068c71e98bbe70797d03e
SHA256 751012d560a3c16a6f377f403ea12b9c6805a279d84c08210f9a5543c5bef42e
SHA512 591bf3bd1316189616aed273c5bdcb49ed1c46fc7bdf6ee1db9ce11b317dbfda5477989cc3ceafaa2e02dc6555afa1ac4ba872ea27d9a8ae9b5a9ac3abadcef8

/data/user/0/com.cognitievedroid.ikvg/app_AdServer/AdServer_asset.apk

MD5 e865fc4fa68968e2f5375e94d8b9a9ed
SHA1 ba765ce01cb46ddd73de57ee5035e39133840d1b
SHA256 b1fff92a015efe5fbe4c4dc2c23fbeb7b10682dee887d91e80d7db939ae91e5c
SHA512 cf5ea475bd4e5edb0e6e1a5e30e979edb49e6d683370fa05e410635c1251e5293ab59e830e5840556b0721e22b954b2c50341f26eae4a3e71ce5280246259b94

/data/data/com.cognitievedroid.ikvg/app_analytics/analytics_asset.apk

MD5 d2e90bb505f20fc73baf25805b0273aa
SHA1 240fbbfda194a65761baed6f3546bc4c744a1850
SHA256 77060ad812f5e6e9e896c39bc548f8295238eaa9941e1986e8e024e7d2114309
SHA512 c2ef3f79b6cfb171b0904ff8138238cbf985344d91d6d9ec35472d14233d1b108cc0234259e8286cbb099747cc8d9d2f74c8c7394ab3a6dcfc2cc95e168c8c85

/data/data/com.cognitievedroid.ikvg/app_analytics/asset_lib/libanalytics.so

MD5 cd1cdef06a5e2a33c5c9e7d4a6cb915f
SHA1 8df09fd32c4fa6b821d9dee89a4fcbf7d32b9b02
SHA256 929c2b04d1495dd1a8b8b72552daedb5d8c385526fac224f5e3c466f748467bf
SHA512 8518002482356e5caad64d33f74172f13fdf3150a05d3dd20662bac8e3ff3e95986a5a7331fc60753d6db8eb5aa3e0779127946505d1fbd03e197359203f88f1

/data/user/0/com.cognitievedroid.ikvg/app_analytics/analytics_asset.apk

MD5 6d363f8778efe0e54f37ccce23d16fbc
SHA1 11d186169520c633d09a1a775747ed0fe5181c55
SHA256 b1b9b928f020d1ecd232211f2733dd1fc640f5101db35794ef43dca96766aa55
SHA512 e375c9d975e4c44d7424c43f7c01cdb5db474a71c4658ca1a021a5cd3265a8e5027f671f3d04ddee962a34f65ae4eeba5c45c36c286a8016277993a1d6931cb9

/data/user/0/com.cognitievedroid.ikvg/app_analytics/analytics_asset.apk

MD5 6f6ca30e708e8d98c6b073d10a1fa151
SHA1 7a41fd920ec83ed67e7505b5d4855eaf282d8e7c
SHA256 aa7650f1cf19b3db8d70d765bab8a9ef6f234b9d3bf0d63fe682882302da1c4d
SHA512 6e4070e1ea36f13db1b562ecf42519e4ef13349bb5221d49b9b34781c573a2d034b287fc8c644f16ff7649b7669ce811fbd3be75b22acd31ee9ee6bfc62dee5c

/data/data/com.cognitievedroid.ikvg/databases/requests.db-journal

MD5 bea4d22d37740ec948157b41d8d0419d
SHA1 3842a1e38bab6eabec518823f762d8a12f693fa7
SHA256 7d5dd534f9d4eccb7ae59d4d0761b8bb479671d765423142c0594662138893c0
SHA512 2c32241930d85926e6d93cc9a6b107fe5c3c274c3df87ff75e543d9c9ff86d374e25875eda56a8d6f035bab97a6a9b5213e35af1018877e9734b1c8a5435cbd1

/data/data/com.cognitievedroid.ikvg/databases/analytics.db-journal

MD5 1fde1d1413e9afc4522196ded7bd57dc
SHA1 dc6ee497d5cd977495e9c52cc386ee54c05176c6
SHA256 d944dd71a3f438484a7058c8c54f8d8362d012ddaec1b7ffb2e7cea9e2f461ae
SHA512 bb0e49e3d120d990666ee2ac3038b3c89a94a425f7c165a988dae994294f2a2371e9569d4058667768db682f7a59914832ad8c37114017d3133e1eaaa1b0b964

/data/data/com.cognitievedroid.ikvg/databases/analytics.db

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-16 14:56

Reported

2024-06-16 15:00

Platform

android-33-x64-arm64-20240611.1-en

Max time kernel

3s

Max time network

132s

Command Line

com.cognitievedroid.ikvg

Signatures

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.cognitievedroid.ikvg/app_AdServer/AdServer_asset.apk N/A N/A
N/A /data/user/0/com.cognitievedroid.ikvg/app_analytics/analytics_asset.apk N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.cognitievedroid.ikvg

Network

Country Destination Domain Proto
GB 172.217.16.228:443 udp
GB 172.217.16.228:443 udp
GB 216.58.212.196:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ask.starreq.cn udp
US 1.1.1.1:53 remoteprovisioning.googleapis.com udp
US 162.159.61.3:443 tcp
US 162.159.61.3:443 tcp
US 162.159.61.3:443 tcp
GB 216.58.212.227:443 tcp
US 162.159.61.3:443 udp
GB 216.58.212.227:443 udp
GB 172.217.16.228:443 udp
GB 142.250.179.228:443 udp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 tcp

Files

/data/user/0/com.cognitievedroid.ikvg/app_AdServer/AdServer_asset.apk

MD5 73c2ac27961b9db4274ca13a178c0fa2
SHA1 3d1b1a8f6c9bc63fc88068c71e98bbe70797d03e
SHA256 751012d560a3c16a6f377f403ea12b9c6805a279d84c08210f9a5543c5bef42e
SHA512 591bf3bd1316189616aed273c5bdcb49ed1c46fc7bdf6ee1db9ce11b317dbfda5477989cc3ceafaa2e02dc6555afa1ac4ba872ea27d9a8ae9b5a9ac3abadcef8

/data/user/0/com.cognitievedroid.ikvg/app_AdServer/AdServer_asset.apk

MD5 e865fc4fa68968e2f5375e94d8b9a9ed
SHA1 ba765ce01cb46ddd73de57ee5035e39133840d1b
SHA256 b1fff92a015efe5fbe4c4dc2c23fbeb7b10682dee887d91e80d7db939ae91e5c
SHA512 cf5ea475bd4e5edb0e6e1a5e30e979edb49e6d683370fa05e410635c1251e5293ab59e830e5840556b0721e22b954b2c50341f26eae4a3e71ce5280246259b94

/data/user/0/com.cognitievedroid.ikvg/app_analytics/analytics_asset.apk

MD5 d2e90bb505f20fc73baf25805b0273aa
SHA1 240fbbfda194a65761baed6f3546bc4c744a1850
SHA256 77060ad812f5e6e9e896c39bc548f8295238eaa9941e1986e8e024e7d2114309
SHA512 c2ef3f79b6cfb171b0904ff8138238cbf985344d91d6d9ec35472d14233d1b108cc0234259e8286cbb099747cc8d9d2f74c8c7394ab3a6dcfc2cc95e168c8c85

/data/user/0/com.cognitievedroid.ikvg/app_analytics/asset_lib/libanalytics.so

MD5 cd1cdef06a5e2a33c5c9e7d4a6cb915f
SHA1 8df09fd32c4fa6b821d9dee89a4fcbf7d32b9b02
SHA256 929c2b04d1495dd1a8b8b72552daedb5d8c385526fac224f5e3c466f748467bf
SHA512 8518002482356e5caad64d33f74172f13fdf3150a05d3dd20662bac8e3ff3e95986a5a7331fc60753d6db8eb5aa3e0779127946505d1fbd03e197359203f88f1

/data/user/0/com.cognitievedroid.ikvg/app_analytics/analytics_asset.apk

MD5 6d363f8778efe0e54f37ccce23d16fbc
SHA1 11d186169520c633d09a1a775747ed0fe5181c55
SHA256 b1b9b928f020d1ecd232211f2733dd1fc640f5101db35794ef43dca96766aa55
SHA512 e375c9d975e4c44d7424c43f7c01cdb5db474a71c4658ca1a021a5cd3265a8e5027f671f3d04ddee962a34f65ae4eeba5c45c36c286a8016277993a1d6931cb9

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-16 14:56

Reported

2024-06-16 14:57

Platform

android-x86-arm-20240611.1-en

Max time network

5s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
GB 142.250.180.14:443 tcp
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-06-16 14:56

Reported

2024-06-16 15:00

Platform

android-x86-arm-20240611.1-en

Max time network

131s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
GB 142.250.178.3:443 tcp
N/A 224.0.0.251:5353 udp
GB 216.58.204.78:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp

Files

N/A