Malware Analysis Report

2025-01-19 04:54

Sample ID 240617-29ahwasflp
Target ba17dd1ecc2680c19481056e6a5bdec7_JaffaCakes118
SHA256 892091d0aabd459e51ad041c44c3b24b595307041222aa09621d9deca033bb6f
Tags
banker collection discovery evasion impact persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

892091d0aabd459e51ad041c44c3b24b595307041222aa09621d9deca033bb6f

Threat Level: Shows suspicious behavior

The file ba17dd1ecc2680c19481056e6a5bdec7_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

banker collection discovery evasion impact persistence

Queries information about the current nearby Wi-Fi networks

Queries the phone number (MSISDN for GSM devices)

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Loads dropped Dex/Jar

Requests cell location

Queries information about running processes on the device

Queries the mobile country code (MCC)

Queries information about the current Wi-Fi connection

Acquires the wake lock

Queries information about active data network

Requests dangerous framework permissions

Uses Crypto APIs (Might try to encrypt user data)

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks CPU information

Checks memory information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-17 23:16

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-06-17 23:16

Reported

2024-06-17 23:16

Platform

android-x64-arm64-20240611.1-en

Max time network

6s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-17 23:16

Reported

2024-06-17 23:19

Platform

android-x86-arm-20240611.1-en

Max time kernel

160s

Max time network

158s

Command Line

com.BF.TVGame.DuelOfSheep

Signatures

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /storage/emulated/0/bianfeng/sdk/plgs/baseSdk/baseSdk_8.jar N/A N/A
N/A /storage/emulated/0/bianfeng/sdk/plgs/baseSdk/baseSdk_8.jar N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about the current nearby Wi-Fi networks

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getScanResults N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Requests cell location

collection discovery evasion
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getCellLocation N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.BF.TVGame.DuelOfSheep

/system/bin/dex2oat --debuggable --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --debuggable --generate-mini-debug-info --dex-file=/storage/emulated/0/bianfeng/sdk/plgs/baseSdk/baseSdk_8.jar --output-vdex-fd=105 --oat-fd=110 --oat-location=/storage/emulated/0/bianfeng/sdk/plgs/baseSdk/oat/x86/baseSdk_8.odex --compiler-filter=quicken --class-loader-context=&

/system/bin/cat /sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_max_freq

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 bfas.bianfeng.com udp
CN 42.121.236.133:8080 tcp
CN 112.124.29.85:5004 tcp
US 1.1.1.1:53 gaandroid.talkingdata.net udp
CN 8.136.189.76:80 bfas.bianfeng.com tcp
CN 8.136.189.76:80 bfas.bianfeng.com tcp
US 1.1.1.1:53 mobile.bianfeng.com udp
US 1.1.1.1:53 guest2user.qpdiy.com udp
CN 114.55.235.147:80 guest2user.qpdiy.com tcp
GB 216.58.201.110:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.212.238:443 android.apis.google.com tcp
US 1.1.1.1:53 mobile-info-interface-01.bfun.cn udp
CN 42.120.19.26:5002 mobile-info-interface-01.bfun.cn tcp
GB 216.58.212.202:443 tcp
GB 216.58.212.202:443 tcp
US 1.1.1.1:53 mapi.bianfeng.com udp
CN 112.124.16.18:443 mapi.bianfeng.com tcp

Files

/storage/emulated/0/bianfeng/DuelOfSheep_channel.dat

MD5 1148ae3d8462cddf5099b0abe482eaa2
SHA1 36c76b81f7faeb09dc6603c58d0b1317a64ed832
SHA256 dc58858a614ab3d8e686e7ef574cd375c689a96246728532bf1ca4ce45b5b1c6
SHA512 49f2c31755873ae09b91f55c21ce1150b45eeee379d2190e7de2e2cb6f7f54f04f274d5addf22e78dc74e6ed1fdc8b035bb1e780b8638a137d9c8933c0bc22d0

/storage/emulated/0/bianfeng/sdk/plgs/baseSdk/baseSdk_8.jar

MD5 cd19ff340657417836328804b4dff06b
SHA1 99bd579a4e42c84c7a7afd056b80d0bfa2e02860
SHA256 c7791c1f07ed6241c69f29f8fa73a0632f809a1fad2d5d0f813f4786500e6318
SHA512 e6a3caf7ef059daa8536c69285045eb1b76754d36488aa2fce0eb2104d28eb84c66a71129f17ce8d57151b6f9ac3c27357c0c295003f76deb31d8c45c4a2946f

/storage/emulated/0/bianfeng/sdk/plgs/baseSdk/baseSdk_8.jar

MD5 56924d654419d58e0b526090bfdcd788
SHA1 729bdbc4300b6486dd5037142a68fefeb711c4f2
SHA256 bf6b4993519b9fd8a7e3087948bdfb58db6ad6a0cb413233697f785c01262192
SHA512 1200b1d4ab180c6442c9b6c053459464e4c11e6a0d5e7cf66de9c0cc8d72acb36ffa32772bcc71bf6e01623dc5e3c3c64e554db8e509238c04a408f0141aa124

/data/data/com.BF.TVGame.DuelOfSheep/databases/collect_data.db-journal

MD5 b21ad255405c55ee7961984816a0feb8
SHA1 2e94d2cea5ea491c665023f68ad5d63b81c9bd00
SHA256 358f084d03131e99ebb57fc69bc70425ac708d7423feb9e0bfd28f2fafd71c2f
SHA512 ce67e53a237fb857e925961149eacdafe53268972adc48d5913d25b0be9a6ed84c61d6c00af4a4228a0cb5423dc12f5bb81a369a09921aced7cef993f41c2306

/data/data/com.BF.TVGame.DuelOfSheep/databases/collect_data.db

MD5 89ca9df528d5521d02579c1298c05ec1
SHA1 dc16d9094c494d16e77b67495a3c3a3ecab600a1
SHA256 61dbb0abd30b06fdd704187f04015d61167ede3d366e57b7afac3c0a2273b478
SHA512 578c77baaa4cf94838c8fdadd68e06957f420a2a8b730d0f6280b35da8b071ee9a70d9f9a309a17a5b8db9f6c2c731ddd39d95e1786a3fce456446527bef02e0

/data/data/com.BF.TVGame.DuelOfSheep/databases/collect_data.db-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.BF.TVGame.DuelOfSheep/databases/collect_data.db-wal

MD5 2be009933946008d12da4328b1c75284
SHA1 f994b31f3b4e4a6651718756c2a57aa1aa7f4718
SHA256 a95db3030d6123d5e4a94d7848707cb102e5934fb815a51a10f21b0676e8e192
SHA512 69e17108a0b34a4b25b050c46cd6789814af8bed04d103fbd15415e2b52b7e8d0b1dacfd8b830a171d69ac84d12695adc61bce7d80ea5da6e0333ba8f9873fce

/storage/emulated/0/.tidbf

MD5 748d9beeaa1899252a7365b780b95fb0
SHA1 2158cbe9044f2b138df0094615afe6616e526c9d
SHA256 59290d2d5a77605f8140feb82e44e8438115fb2f93dc56ed4c225b88c21baaa8
SHA512 cdeb0c4cebf1cc96ebda6940763a940df76120ee991bc7f003480caf055a970f16e4a19ef2ba2c56fa056d539b981e16542ec7239a7b91dd3828585bc2d1e440

/data/data/com.BF.TVGame.DuelOfSheep/databases/TDGAtcagentgame.db-journal

MD5 17427f96c600a832c44017c9c2b24bab
SHA1 e5802fa2d4825e2047626e9a06e34cdbb888f119
SHA256 de8453a0547501783d6cd22c89365d615906d92ff0b4da9e399cc75a5864dbf3
SHA512 47243cd1d5a3d4eec22441194b4248050ed41318c1541e5729a34c9e80e19d30de851b386063dade6a47caddcbe23972e690f979941746cacc196897c18ff5ec

/data/data/com.BF.TVGame.DuelOfSheep/databases/TDGAtcagentgame.db

MD5 e6a2035e22d6150aea0280cc764ae4bf
SHA1 269ce5752b49dacfe51597230d0bc94771e901c6
SHA256 1c1c15f96e3ebbde4e83a4ee9e6a2ecd29f6872deaa5e81ede142440f8520ce3
SHA512 69dc2e84405d3f8bbee0ff022b12763a1a8b45907fccfc80cae59dea6f064fb023e3acb502830646df912260883a1a06700d2cc70e4ace4828516e0659515ded

/data/data/com.BF.TVGame.DuelOfSheep/databases/TDGAtcagentgame.db-wal

MD5 a6b62baa084f0c7536030c24cfd2c436
SHA1 66211e6738701c82e2c42afe6934c3b74ccb284d
SHA256 9be766bc0303d9783af888b65a2c8c91c26f7e17d65f74bd4ef0582ca45bee5b
SHA512 f1972cb35d8f3fcb5b446c839b206cc68ef380238c5dd49fe3539b38265d92926d47ab60dbb4472daa1c025cc722494bb7c032b40885cde713ad018cec236b36

/data/data/com.BF.TVGame.DuelOfSheep/databases/TDGAtcagentgame.db-wal

MD5 9f4be68305c33a4ef7e148f9469fa7f8
SHA1 c3a10a6a9b060dd1ba56e7a5e03f3f96041bf1fe
SHA256 846b626ff8b8ea13401833e6d2c660059cb5bd6ed8d625c1828085f1b65cb6a5
SHA512 615e48bda5a0bba08ef1bd361a6b843d39a36c2bd466d50753ebe7718e16e07a3e57a28a1b88ea858aef50dee6ae2f00bef1b233a27de5f8fcbbc5b7b4b3d0cf

/data/data/com.BF.TVGame.DuelOfSheep/databases/TDGAtcagentgame.db

MD5 ea3607d99ce28598e4953571e426f2a9
SHA1 98eb5c56e17626b58e5b4390b3d4637aa74a8dac
SHA256 e731f2aecb3955743ddbe2095ccef8652d1605a71a91275c208a91931c7e9a87
SHA512 b08b62eb4d0a948b29c0109964b571f6cd050848471d524872133a4d3f1ce3dbbc2ebd49d5271761cbb10728b29e880e332b33e381f921f2437744ad61ecd838

/data/data/com.BF.TVGame.DuelOfSheep/databases/collect_data.db-wal

MD5 240b0aa15d70b09f6e4ccdfd2d45d6c0
SHA1 5122a31efdaba9933cef8012f6295b680211d436
SHA256 eb80b375834bcbe6dd5fbf350d42552bd76372c9b790dcd5e971a934ba9b2891
SHA512 054c09b9b9a75eef48cc72157e4460c106894282d7d336c17de02f7ec7880773f56bf69dc115e8df0b657d0776272eb7064d72f8b0bdcff52eedfb8f8bbee6ee

/data/data/com.BF.TVGame.DuelOfSheep/databases/collect_data.db

MD5 47c89b1e9caa9769e8a81c42ab6fb36d
SHA1 6cf2128f85a20e25a8aa068ceeef4a825a550307
SHA256 bc42dce75e202b9e0ae704d0bcde13fc0f5ca3a6b77a69e8074bce6b9a7cbb4a
SHA512 f83ee6aea7029635de415de304bbd523c3aab81d8181f4b75f65359428e80e502eb718bdc3f74a8493548b4a27d1b2f4c2fbbd31751835c86e02c150dcb870a2

/data/data/com.BF.TVGame.DuelOfSheep/databases/collect_data.db-wal

MD5 9514e34f31b0197d913371036c7263f9
SHA1 ac3b2af0fc35269d135b7f030285b2a3315cf786
SHA256 e48d526f4bcd46439fa6ddddba8d22686feb804e31497cc83e0c2247bacb6a5d
SHA512 ed6b73e89ae9948905182d33da9f9c2f860f34b1c55be89d69e4d857d7361deb47041cbea4c96d380d0c099f27d5010dc2962f86de9631d6c0f2a8c366cc862e

/data/data/com.BF.TVGame.DuelOfSheep/databases/collect_data.db

MD5 8d8ae617f156dca447389c549554747b
SHA1 0052f682c08b36a4978bd0e66b9f48f4cb093485
SHA256 25d3ec923e594b0cbdeba5f1457da6fd39c8a1619c8fbce6326de510da96c2c7
SHA512 7bd3c1ba070b0c93e50004323195b75438a5950db5aae5ec8e43ad704983c296adcd9f78fdb63a62b0ecbfd5b23c0a95e5074fc5af544c2474b114bb755a817e

/data/data/com.BF.TVGame.DuelOfSheep/databases/collect_data.db-wal

MD5 18585dbed45068a9d7f55160e6addae6
SHA1 c6b5d1610b56f68e32f804e80fe78a15a499ccb3
SHA256 102f44db7adcab8515ca875ca95b5f4e8fe0c50e0db89652716332ca7a8e6c1d
SHA512 de82d944299194a3805dc31edc2d4f21387f7ec961a8ec976b9f78810694cc84201f386cbfd66fd0516e822af93b9341b395104257bd3abf36a0421b6d078538

/data/data/com.BF.TVGame.DuelOfSheep/databases/collect_data.db

MD5 05575280211a320fcf71cd5aef49008b
SHA1 2a750b6937413edc7a9fa569cdc83c852d94c4b2
SHA256 6acc2ff5eab7d7afa8c6f27d6f13f764e563dbcf8aa7c84479daacd7a3619da8
SHA512 fb3c54f28077d7afaaa760c20b4fbb0ff0d88a968e6477bd2fa31da0bb5a7a774e0713dce5d670fbd686b689c6a1f3cb8951d196c040253705a0ed1cb547f93d

/data/data/com.BF.TVGame.DuelOfSheep/databases/TDGAtcagentgame.db-wal

MD5 38e8bbbc71b7ff84f0a2aa28bc11763a
SHA1 eba7942fef250f1abe570ed1a2542154bdc00405
SHA256 0dfa6654af9c1f60599ce5cb192f05df600555794b984d56ea7f7f39c0765a37
SHA512 a0a36c7c71d4818074afb1e470b2b22236df1eefe2f459381222f80d4d1f4d43299d7707784d037d48fe7824ac0753f2d41a0c17b37480290d36e90893c4f33f

/data/data/com.BF.TVGame.DuelOfSheep/databases/TDGAtcagentgame.db

MD5 a4421db25c65746cc3cad5acd1658610
SHA1 a35e45e782277869eaf7a2e4f66ab784dc51d14a
SHA256 0d63746b3a19b6083e3f32ce0ec3d909141023daa34f0b377a6adfb11327ff84
SHA512 efb89f007604ed9a2b7de4a7f621e715d46b3d4d8387abfd5dd678f31331634ac8ccd90d4b9aca6b9d6215bdafe49a20117b991920fb1d77c1b4cefcf0d36133

/data/data/com.BF.TVGame.DuelOfSheep/databases/collect_data.db-wal

MD5 d018baa8552b70f61e71e50619653847
SHA1 b80f15bbb9c8831c798ffe942d3c159df114cc31
SHA256 1ea7532d8cdf1453951c54728e9396cae155f7a0b86a57c681038d2c241172d8
SHA512 54bd8d0c8b731d93b9d75b38c8a435d59d2c4d4236aae442c92d19f1d86b594609c6ee61d5828056b2110c95d517a89cdc4c3fe8b2f7e85e23e260a8b270fb3a

/data/data/com.BF.TVGame.DuelOfSheep/databases/collect_data.db

MD5 71a616f75d23bfb43b5422826d4cd505
SHA1 e00fec0c998cf7fcf79ce5502aaf2512bb7b837e
SHA256 6bb9f27a80c78e616865467f214c40eccfcb49427aa9c5862bdc7d86e6381b30
SHA512 50534baf436bf746fe94aa76ceba67ef0bdd0838003c5400ed64e01250b4d1d6d2eb6e8dbcc881a445cc87694746cc17ccd163ffc0f1db692def2e5ea92ab17c

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-17 23:16

Reported

2024-06-17 23:16

Platform

android-x86-arm-20240611.1-en

Max time network

4s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-17 23:16

Reported

2024-06-17 23:16

Platform

android-x64-20240611.1-en

Max time network

5s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A