Malware Analysis Report

2025-01-19 08:02

Sample ID 240616-sgqvqasbjr
Target b423d5e4e4294d06d33be7c7c6abcf93_JaffaCakes118
SHA256 f27bfade64588e89184e1d457eb183a585fbbdf1034df6e790858685a8eb33fd
Tags
banker discovery impact persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

f27bfade64588e89184e1d457eb183a585fbbdf1034df6e790858685a8eb33fd

Threat Level: Shows suspicious behavior

The file b423d5e4e4294d06d33be7c7c6abcf93_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

banker discovery impact persistence

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Queries information about the current Wi-Fi connection

Queries the unique device ID (IMEI, MEID, IMSI)

Requests dangerous framework permissions

Acquires the wake lock

Queries information about active data network

Registers a broadcast receiver at runtime (usually for listening for system events)

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-16 15:06

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-16 15:06

Reported

2024-06-16 15:09

Platform

android-x86-arm-20240611.1-en

Max time kernel

12s

Max time network

158s

Command Line

org159.geometerplus.zlibrary.ui.android

Signatures

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

org159.geometerplus.zlibrary.ui.android

org159.geometerplus.zlibrary.ui.android:library

org159.geometerplus.zlibrary.ui.android:crash

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 aos.wall.youmi.net udp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.212.238:443 android.apis.google.com tcp
GB 172.217.169.10:443 tcp

Files

/data/data/org159.geometerplus.zlibrary.ui.android/databases/config.db-journal

MD5 a9e46832a1d67f0b4c582203282888a3
SHA1 5de1aafbc717c686922236f645e9f70c2179b1dd
SHA256 f5b6750007c1201d0373526cd1120bd6b3e0dce8da3c293675377d674477d718
SHA512 f7165e13ccd0c9fcc3a1cb071c649adc4f202d01f77ae9fc2ee62f3c54548d89d8e9377c9bc1e857621cb20a99b836d2c210077710f52bd1c3c5fb7f41b98da3

/data/data/org159.geometerplus.zlibrary.ui.android/databases/config.db

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/org159.geometerplus.zlibrary.ui.android/databases/config.db-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/org159.geometerplus.zlibrary.ui.android/databases/config.db-wal

MD5 69755b79ec83aebea2b3abbedc163280
SHA1 36bcce79beaaf796fef789deb7178f392bea83d1
SHA256 2e0b0b1255ec83b9d0c53ae510ddd376a0d20d8218dc7c984bb88a793990a1fc
SHA512 8e984e9a0c06ce80d8b4831ae154ebd0f52626e4a75e2de452e0627e0e809e13e995503d90740060400a345fdc38cfe361eb6311d69fce4b988cdbbc8e85cdc4

/storage/emulated/0/LaBooks/shishangdiyi.epub

MD5 82fe449665e4c6b97b4055a252571da9
SHA1 a098dd970d8fcd62de64bebe4f9537f224941911
SHA256 ad647c0c5981b1b0677607a10d30678d3819bfab5f06e01fff9e1486a7c53968
SHA512 362c78dd9c0f8859eb724dd78469398bfaf986bca212cced6fed8640b950c617198bb80d1714d50477921a11c52c46b0eac63e991e49633a3d52d321f87aaefa

/data/data/org159.geometerplus.zlibrary.ui.android/databases/books.db-journal

MD5 718aaa4bb282c2d7392358d33b3c2b5b
SHA1 1ac9f3c20ea9e9169141cb24e443c296dd3826e5
SHA256 e03fdc97333a9d31671eae71e4dd80a308bd5a70c340c608b1c411ef921102a5
SHA512 6a80326dda4501bf85a3bee55ae8a0abeb56c2eec7c82d794cf41d94e595470a2835a729499804686619d54e5e01416cd1f4afe1c72d3dec1e0d8c8e228f1652

/data/data/org159.geometerplus.zlibrary.ui.android/databases/books.db-wal

MD5 4a0e43be1d62ff16dc4988f4b184788d
SHA1 8b5082aba26b341a85d38aed4108b67dc9879a68
SHA256 f7f2d7c228b942f58cdd855c592024d543764f25337b6d12dba4072a005d0251
SHA512 170342532dace81a11d6bc36747e6ec19903d40fa53971d80cc8ff38e2de2af2c417d86b77bc54371ba48fa1e35298e324a50ecda111ece80aa53482f6098f2e

/data/data/org159.geometerplus.zlibrary.ui.android/files/abf3531c1a6d5f50849b3b4d000098bf-journal

MD5 a836d0d6e3ecd2106f6ec3a1b23b1721
SHA1 510b6f805d8a310786962accdca5dfe6e755704b
SHA256 34c2bf0711b84a7954ea855c29af86ab572e5295bdd8e53895b9caf003f3c62c
SHA512 0779106e3eea93f83b7ae15b1307f89e4fb5575cc6dfc8b0aed9d71de756bd093054e0cad4858136dd58e20b0eae37a8c855603d2940e7d9e52f53a86d30ac9f

/data/data/org159.geometerplus.zlibrary.ui.android/files/abf3531c1a6d5f50849b3b4d000098bf

MD5 77ed0b4e11ab1de85e99a654750e17f5
SHA1 3b926a62333fc90771e1069a5624f2c552e27e54
SHA256 0e2922ca6593a8f733373472435a2754fc1cf6368e1f91b392e8968fdedd61c8
SHA512 1ba48541f11ffb15c5c564a56d9a0f988b66c04ce2ee9404dbc6fcc607456f6dcb4be4c5aa64f3055465b366bf302d1009cdf8d07af4f5ac3fd85cf2ff2ffecb

/data/data/org159.geometerplus.zlibrary.ui.android/files/abf3531c1a6d5f50849b3b4d000098bf-wal

MD5 f0eb5e594b19ea659925ce3d13db08e5
SHA1 6d9a192eb646e4133fb75dec1df940dd897f640d
SHA256 f8581048f61eab7710b549491cc059c2baef8bb0e17d78deacadfc1415345a69
SHA512 117897d1ca49a0176d6ff5975341244234a681168f4d50003c6d564db764c927a28f3c473ea2b535d187cca24e7a712595785ad77c75be6268ced5309c0d757a

/storage/emulated/0/youmicache/CCA9582BC81E888EA674F157E5540CF8/abf3531c1a6d5f50849b3b4d000098bf-journal

MD5 974df87b09e015c3a2aa475a44190ee9
SHA1 f8b5d25a080b987fd86af34bd9c4f12aa9d02a9d
SHA256 0f71c9ea2d0eda3d8eb4acf2d0f5bd5c0a1c0029a6c4dc753a6a7b5b450d97e2
SHA512 f47834edcb538f4fa53150696a30fd3d0325db998f22a36500fcd4a37b1d9e08996fe71884a52365c72a72454e5bb1c4b4d1b9c3c9ac2a02584c85caa7294781

/storage/emulated/0/youmicache/CCA9582BC81E888EA674F157E5540CF8/abf3531c1a6d5f50849b3b4d000098bf-shm

MD5 cf845a781c107ec1346e849c9dd1b7e8
SHA1 b44ccc7f7d519352422e59ee8b0bdbac881768a7
SHA256 18619b678a5c207a971a0aa931604f48162e307c57ecdec450d5f095fe9f32c7
SHA512 4802861ea06dc7fb85229a3c8f04e707a084f1ba516510c6f269821b33c8ee4ebf495258fe5bee4850668a5aac1a45f0edf51580da13b7ee160a29d067c67612

/storage/emulated/0/youmicache/CCA9582BC81E888EA674F157E5540CF8/abf3531c1a6d5f50849b3b4d000098bf-wal

MD5 94436d982d2fac2b4701ed3be96d8c32
SHA1 c9d2ad4865b3b2ba04fcc6204752d48cde379670
SHA256 da34a47469b441f85975395c9f2e06087e5832cc10a75ec9d86df3b3c6dcb4a8
SHA512 d414f546952b12195136692b9a60d4b477eef937afdcd41872e2f643347ccee41dd4a13e0c87005134cd70200362ffbc99afaa523c23ed7d6004046b817721b1

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-16 15:06

Reported

2024-06-16 15:09

Platform

android-x64-20240611.1-en

Max time kernel

14s

Max time network

155s

Command Line

org159.geometerplus.zlibrary.ui.android

Signatures

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

org159.geometerplus.zlibrary.ui.android

org159.geometerplus.zlibrary.ui.android:library

org159.geometerplus.zlibrary.ui.android:crash

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 aos.wall.youmi.net udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.16.234:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.204.72:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp
GB 142.250.178.4:443 tcp
GB 142.250.178.4:443 tcp
GB 172.217.169.46:443 tcp
GB 172.217.16.226:443 tcp
GB 142.250.178.14:443 tcp

Files

/data/data/org159.geometerplus.zlibrary.ui.android/databases/config.db-journal

MD5 cf9bd296884832bf0c3845562ed7eea4
SHA1 c0de7b62392e59125f3c603a6f12bbb530cc3dee
SHA256 8a33d2b2b8313320a328710b49023d44a6274d6c7f4e2187ff195b9307f9fe68
SHA512 edd5ba66acb09bf0d41b42882184ed5d853746e73a9a66c780eb84fdb3599e99fb2ca6fc1fff0358bf8bfc2d9a8ce699fdb130607b5123e08e2b2eb2b53796ef

/data/data/org159.geometerplus.zlibrary.ui.android/databases/config.db

MD5 5136beb739d9d21e9860182a9479c2e4
SHA1 db1a1df35af449ab9df3fa59c015fcb74296540f
SHA256 df7557bbcd945b93d1990dfe48efd7a63ca4246f515bcd9efc6b20caf6803f51
SHA512 5886ca1818d5a0dda48d8a21ecd43ca99f344cb8dae9b7b56e5b38028afd5cb896d6282797268e655e71396a89a1698cc7f3fdfb6e634377201b7de97b5a748f

/data/data/org159.geometerplus.zlibrary.ui.android/databases/config.db-journal

MD5 d5fbfd74c678d40e4e95b5747ee87ee3
SHA1 76786c127607839b4b1d834587c44da6e6c52ba1
SHA256 97089f67ffc391a8fed9094181cc054e3acb50263c5e600baa5d0d124d3c8743
SHA512 d6ac58f5c5b4e80d6c6c581f87b53b172ae55b6c6bf694aacf7d0adefa762cf44bbda66b0a4839b26435af7fdca15bfdae07c3c8d179a2da1f061f19d0dc0669

/data/data/org159.geometerplus.zlibrary.ui.android/databases/config.db-journal

MD5 36277e561a717a547eadd680f231b720
SHA1 ab9c7f1ecf95b7226ea6843c8e92f4ee2a166d69
SHA256 629a4c0a5168695767f190b5f79855a40137b507a3d09784cd0ce7c92122da38
SHA512 92d114d2090a6390a5c5b5beaf508bf485e51de104c0b03a4f1de3869be92d23d0357f165ebd5f657c1133dbbd3f66115e9cf2dba05e762909373231bcf2e0bf

/data/data/org159.geometerplus.zlibrary.ui.android/databases/config.db-journal

MD5 8f7d2f52b7214e2963859f67d38079f7
SHA1 ff675c33f79ca32e9c940659e700874c86858904
SHA256 208cb904f4b23eed139076a361f6879db77fd002c349271221272b766a783a57
SHA512 34aaf9d5974934fafa512afae938c39b947aeedc5b1ae4b2939ee486a101e057170c173f2ae5c285b5bb3625f9657cf4d389032b739354bfc447643d16c9719b

/storage/emulated/0/LaBooks/shishangdiyi.epub

MD5 82fe449665e4c6b97b4055a252571da9
SHA1 a098dd970d8fcd62de64bebe4f9537f224941911
SHA256 ad647c0c5981b1b0677607a10d30678d3819bfab5f06e01fff9e1486a7c53968
SHA512 362c78dd9c0f8859eb724dd78469398bfaf986bca212cced6fed8640b950c617198bb80d1714d50477921a11c52c46b0eac63e991e49633a3d52d321f87aaefa

/data/data/org159.geometerplus.zlibrary.ui.android/databases/books.db-journal

MD5 d0b868386a525b1a41d97514a5a5da24
SHA1 c4089dd7eda3eb6bf4ba8bf46dbcaadf67515be5
SHA256 f92d5c443f2ddb74be253525eff300ea3f1820fd42678572769da21efb5be784
SHA512 fbe9608c26aac04c18818ce11f9f4ae5775b6b5fd93fe55143236fdd4343bf049f77a00c3f86b04ddadddb3b4e0aa278371b3236a72f53ea6d903ba618723012

/data/data/org159.geometerplus.zlibrary.ui.android/databases/books.db

MD5 4780c3d57419ad95d111a36831fa52ac
SHA1 4cc28014e03db6ff51eb152d6cffd87fc785b0ee
SHA256 89f60d2992a7095ce188123282aba188a60af29086fe4996eff3bd444bfdd3bb
SHA512 12457ad93a8e4b3c33085ddc5ad57c823e0fa54e3b1251bb923717e614cc7fe75f6915da6088957ef991c3beaf0581b96bb75ef27d93e78d924ab117054e758b

/data/data/org159.geometerplus.zlibrary.ui.android/databases/books.db-journal

MD5 faebedb3e4a9400c20897a144a881ea7
SHA1 70ab9a9d68fe2260b64223576e69f1827afe7649
SHA256 bb25204a4b63edffe71168d7bd29a5e449976c8708ef7c61692363dd85dae8e8
SHA512 147ef5b26336d11580ba10286d0c5fff1f9906be9eeade5bd4381aa54df53ccaed8a56e5a8ccefab656172dfba3002a3dcb03aafa3e042b53162ce93f3b36d4d

/data/data/org159.geometerplus.zlibrary.ui.android/files/abf3531c1a6d5f50849b3b4d000098bf-journal

MD5 f856e9186308ef84236280036bb9ca0c
SHA1 d9aea46cce19930b92907e816ef26602e022e75e
SHA256 be8cd73ee5149e435aecc967950473ce10010f515dedfb8943ae12bd0672cffa
SHA512 949de2fe04c8e6710621e10476d72e36facdc21b902a9ace1e0b9492f054db0f7366782b9c458ee96387d3be6a644f6edcbca7e7d95b4f929955341247bcf565

/data/data/org159.geometerplus.zlibrary.ui.android/files/abf3531c1a6d5f50849b3b4d000098bf

MD5 ec9105ac6fe38232bea556a6596867c3
SHA1 e14eca8ddd65ebc5fd6772ebf5bf154c3cb9cdeb
SHA256 7957a328f413a0febd1721935c6e8ac4563af990addd551012f035922f5abd5f
SHA512 db9b1fccfd6ae3bcac17a22b26996e12f96cf5bea1260f937403a1e0272c43eb9d269498d56411d4b6e8e3c11dfc637d78f7ee5051a422af0cc0864f4d72cc95

/data/data/org159.geometerplus.zlibrary.ui.android/files/abf3531c1a6d5f50849b3b4d000098bf-journal

MD5 fef7eb05f11fefd153cca9cb2f35737c
SHA1 40f0d423a719adc8fe864e834cac5d1276087319
SHA256 074ec3cb444069476550b91d0ececfb8fd16f3d7a1b844f67a2c2cd5301a675c
SHA512 a9839d5a2df5338ee13d0fda5e8b2055b5965c1cb3ca2ecff8f85c4f198274aacf5410281b3ba3c618b628d3ef2a70b2e6c01abdd080506942fbf8ccf3dd41bd

/data/data/org159.geometerplus.zlibrary.ui.android/files/abf3531c1a6d5f50849b3b4d000098bf-journal

MD5 1401b520cf1eb54aa175e186776920b6
SHA1 7ea98b5cfd3434f3623a55bd38c410507ba53bb4
SHA256 0cf826a8dfc76a575678683bf111c799253d4db7c87c1b87f7ee772c241f461c
SHA512 597cf3acca2c3cbd96c9e56e5319596475df2e1b34f367c199a4728a40dcacea2b035c11bf186c6773796b3381def598e90d2bad825010f9237d7d5ddda1c7b1

/data/data/org159.geometerplus.zlibrary.ui.android/databases/books.db-journal

MD5 97a25e3b600a8078196a77cbe24a8d67
SHA1 4123a675634e7541864caecae61557068fd1688a
SHA256 d49d24c4fa815cc4153ab574c6bda911a92fac454e998f50fb0f2f98364fdab0
SHA512 bc834635714118273399fc9dc1b43c45615a3cec11605c2c8755487a175aca9b18c4c9690e3e84a16fe747b1310557ad68e3b7626e3eb39f4e7ad1866b7c6819

/storage/emulated/0/youmicache/CCA9582BC81E888EA674F157E5540CF8/abf3531c1a6d5f50849b3b4d000098bf-journal

MD5 bac617b8205e74bcae4d89f63eaa6562
SHA1 86ac7dac606bb5a4981abfba0bb6b18555084919
SHA256 de11ca58357cf0552e5efe81912ae656d82539763961bd3c9ccb8ef9ecce3b8d
SHA512 bee0e6bb426fb32ae0a8c15c15e68d6e28bccb839f26752cde388743d9fae5d5d1e85366386e122a4114e54c1218c8628d07fa02b1353dcb6a07e157539de27d

/storage/emulated/0/youmicache/CCA9582BC81E888EA674F157E5540CF8/abf3531c1a6d5f50849b3b4d000098bf-journal

MD5 5cf59b8a74c995c0e50f9ab48b30d537
SHA1 64764471cba559d2eb16a93676d5cdfa58e19766
SHA256 3617dcf93dad21b2ff1f6b1aaba5b2224dafeaee81f2009e8dcc8e9b4a666339
SHA512 e30deda7815ecfb6f9374ed0e3164d901d7261cf091f13d91688646ff5ab07a749db5634e6b4af59ff9ad2091280c39281879749912598f1f981cac174d0a893

/storage/emulated/0/youmicache/CCA9582BC81E888EA674F157E5540CF8/abf3531c1a6d5f50849b3b4d000098bf-journal

MD5 3eab8c2b2c3b0513e137fa8ea3619b9a
SHA1 df678106796d37b3dceb11865bd6713976fc3827
SHA256 6c53e32ab3d7fee1d6d5054e4a50fa00e25cd19579de860ceb73a1faa0bf15e8
SHA512 21954b1b0ba49ecaafc2b17ecc20296a71774d02e4851a7f9323965b7c0fa8be217f33bcca6bc314f0e402ab35e7ca072975753b09ec797594ae20aed57f3e76

/data/data/org159.geometerplus.zlibrary.ui.android/databases/books.db-journal

MD5 4735f093be18cbdd0d51b9c731d76364
SHA1 12b30f00abc1048d536e7ec93178fea1d9cebbea
SHA256 4ad997bf48da496b0ef30b6ad5d91a3437ac38237148f24de18b83b3d98ccfc6
SHA512 2203bc189706a00535b2077ffa9fbfadf52799181920888b8fa5b9ec7dd6dd66e7d8bd349037ab0292df9810efb7dd4fa78ad3951f51b07ede1da3c86ab6c76c

/data/data/org159.geometerplus.zlibrary.ui.android/databases/books.db-journal

MD5 618634f7f797c1670d8e35ce96098bca
SHA1 1064f4b8ebc3d55cd82f71e9f54494b1341ed715
SHA256 a40578cefc266832b374e60faf07b629d62bdf5099adfe74168c4091a65f8a78
SHA512 c0f6282c4cb0038b4baf1b90dfd08e59b51fa939efef794ed50e3fa533fb6dbca5ebfda5e1e919e47e235d63c3527a617374b7fd8fcf3663c1daa6b043f2a9c7

/data/data/org159.geometerplus.zlibrary.ui.android/databases/books.db-journal

MD5 2f5c3134c5f32aee6164e742c1eec23d
SHA1 ca3b933f91e1fc3bdeace2bc1e1b71749c578810
SHA256 12ac4f12507922683e3d2ce586024b1359419bd2b4e821151ad9e63387a33e0f
SHA512 fef303b3780790e10ec8e5bf48890646a6b4a91218f73df73a2c831067e73a3fb27a86605a7ccb1b5e010bdf1ed65b915f57f081ec012ab2a39b317e3fba1edb