Malware Analysis Report

2024-09-09 13:23

Sample ID 240617-hjn4sssgrp
Target b741d2b6745db00def2922e779d2b0bf_JaffaCakes118
SHA256 56d17dc249dabe1340986351f636daddd96eb649e0e05f30d265d4a33e9c9246
Tags
banker collection credential_access discovery evasion impact stealth trojan persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

56d17dc249dabe1340986351f636daddd96eb649e0e05f30d265d4a33e9c9246

Threat Level: Likely malicious

The file b741d2b6745db00def2922e779d2b0bf_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

banker collection credential_access discovery evasion impact stealth trojan persistence

Removes its main activity from the application launcher

Obtains sensitive information copied to the device clipboard

Checks Android system properties for emulator presence.

Loads dropped Dex/Jar

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Requests dangerous framework permissions

Queries the mobile country code (MCC)

Reads information about phone network operator.

Queries the unique device ID (IMEI, MEID, IMSI)

Uses Crypto APIs (Might try to encrypt user data)

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks memory information

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-17 06:46

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-17 06:46

Reported

2024-06-17 06:49

Platform

android-x64-arm64-20240611.1-en

Max time kernel

178s

Max time network

132s

Command Line

com.example.testdex

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.example.testdex/app_ttmp/t.jar N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.example.testdex

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.212.232:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 a.asense.in udp
US 208.100.26.245:80 a.asense.in tcp
GB 142.250.187.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.14:443 android.apis.google.com tcp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 tcp

Files

/data/data/com.example.testdex/100classes.dex

MD5 9c51800c85df096925670e14cb963b9c
SHA1 883a239572e5a286375a8b648e8aba87710fab29
SHA256 29ff829704175170d44532a13dd7d5697612d36094b65ea4cb323bf70c2916b9
SHA512 6d893f3d4e9c3f2bbd5fd1d77f050b93d86dd79f13931c91b7a17b4687f9897c24b88f6d7f597a9a517acbb730e250bb87bad74511d1f3fded9d24f56502ecd4

/data/user/0/com.example.testdex/app_ttmp/t.jar

MD5 e3447d5435bc33cb03183a57f3474f1e
SHA1 13b41650892f79bff94f3edf8689c3218ba962d0
SHA256 8eabaa1e5b64a753f5aeeee5e02ce584ab8e65c5edfc5e3bdf38f25462024dc9
SHA512 e4e7906b57056c413942ea3f5fa91cf3bc5f508a2e9c8273524c0cf84d7189f26b770f0130f57218ecba8982ac337f46a6d11d10dd8f8dc4f5f0c0fa02447ab6

/data/user/0/com.example.testdex/app_ttmp/t.jar

MD5 4e1e6aa783bb8974b1436f0100156de6
SHA1 8d2d20dbf86960783c889dd9834e281bac850642
SHA256 58665fea32655b49869f9f7e6812f36906cd75dbe4af3f1d497e9bdeaf33fc53
SHA512 0a45ddb1269a3cd8a789ce3b9edef67e69c2968480938aac76e9e975c4cce049a42ebbcf0cf4058eef117e1041a1e7a8f15d504c5a9ca95b1b3d014ca91aadbf

/data/user/0/com.example.testdex/databases/com.example.testdexb-journal

MD5 5d6d962b48b514aca0b52fee73306965
SHA1 158e9ebf8b505f30298d2fcca2f974d79f330c5f
SHA256 cc5ee335208e8d762dcd6d4b1f5b214f07b9a5f5daf56c53df83c60940312468
SHA512 3b09f014f95947f9cb2f70f91e4eb2f951e20266155acc4520c9c7835b8bd16a249a373da0dc5659ef1e47aeb56869a3156a90bd27455c6c334fbec1444c622d

/data/user/0/com.example.testdex/databases/com.example.testdexb

MD5 19700d2d3289fd63c1503874d4c9b279
SHA1 1f17e21bd0fa765c78f5d048ea32f98eb3e37f5c
SHA256 ac46fcc236041cb11d269c835a163d6cd1085b2532b2f486b5bf7aa00246003c
SHA512 fd4d86f10059ad4045a3bd57d91c9e3f05c42a5906e9d5f358679258b318e6202fe09bf7e34a7024c6ed1b938164d3c5175c568ec4a41ef0040ad085e5b2aa90

/data/user/0/com.example.testdex/databases/com.example.testdexb-journal

MD5 9a03732a6695790885e0edb15912e9c1
SHA1 9137929680431fa199eccda71325e385509ad164
SHA256 d6f9d3c2c6d2fdda98eb9694d3dd415bcd39d3c72afc185c9222c355f252f67d
SHA512 95df2f6b3e1de872fe3248ed67db177941bff4d2f9309289da91df05f82eeba08cb459216a1e1f3344a3b376d101d30f9763f22c33739d9155d819083377f55e

/data/user/0/com.example.testdex/databases/com.example.testdexb-journal

MD5 a0adbecf6739cd049e70fcb1ce4c79c7
SHA1 e446be5cf5031e1bd412e6d6487471748944f9ed
SHA256 9b39d116990b0fddc90d9b6c0e0b51187f0e2f949ac0b8d8b8581b8eb575b3f9
SHA512 08149effca16ddf8ef6cd8e00bf9c9df981ea20d15aa4a099847f4144feae0c8e7ea2494b7b44704c089b84f91357053f8f909119dd3aac55604183d3251ee48

/data/user/0/com.example.testdex/databases/com.example.testdexb-journal

MD5 c4b4f790fe8951724ed2d1c5d7c9a024
SHA1 0d98072a5d744169069f902a8175d5a21c90cb6a
SHA256 540f15507a1d2fbb2efcefdd79b79398654cb13b5e7b33c274736dbdbd8ae49f
SHA512 833fa4f16440527fdd4c3849b5b22e531d2950c76c2c8550c4ab97f30c6529890028bb2f632b13f0bf5af60bd5d08b2f40e2ce4e943a554a16ab1ce0e372d9c5

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-17 06:46

Reported

2024-06-17 06:49

Platform

android-x86-arm-20240611.1-en

Max time kernel

178s

Max time network

131s

Command Line

com.example.testdex

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Checks Android system properties for emulator presence.

evasion
Description Indicator Process Target
Accessed system property key: ro.product.model N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.example.testdex/app_ttmp/t.jar N/A N/A
N/A /data/user/0/com.example.testdex/app_ttmp/t.jar N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.example.testdex

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.example.testdex/app_ttmp/t.jar --output-vdex-fd=48 --oat-fd=49 --oat-location=/data/user/0/com.example.testdex/app_ttmp/oat/x86/t.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 a.asense.in udp
US 208.100.26.245:80 a.asense.in tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.179.238:443 android.apis.google.com tcp
GB 172.217.169.10:443 semanticlocation-pa.googleapis.com tcp

Files

/data/data/com.example.testdex/100classes.dex

MD5 9c51800c85df096925670e14cb963b9c
SHA1 883a239572e5a286375a8b648e8aba87710fab29
SHA256 29ff829704175170d44532a13dd7d5697612d36094b65ea4cb323bf70c2916b9
SHA512 6d893f3d4e9c3f2bbd5fd1d77f050b93d86dd79f13931c91b7a17b4687f9897c24b88f6d7f597a9a517acbb730e250bb87bad74511d1f3fded9d24f56502ecd4

/data/data/com.example.testdex/app_ttmp/t.jar

MD5 e3447d5435bc33cb03183a57f3474f1e
SHA1 13b41650892f79bff94f3edf8689c3218ba962d0
SHA256 8eabaa1e5b64a753f5aeeee5e02ce584ab8e65c5edfc5e3bdf38f25462024dc9
SHA512 e4e7906b57056c413942ea3f5fa91cf3bc5f508a2e9c8273524c0cf84d7189f26b770f0130f57218ecba8982ac337f46a6d11d10dd8f8dc4f5f0c0fa02447ab6

/data/user/0/com.example.testdex/app_ttmp/t.jar

MD5 4e1e6aa783bb8974b1436f0100156de6
SHA1 8d2d20dbf86960783c889dd9834e281bac850642
SHA256 58665fea32655b49869f9f7e6812f36906cd75dbe4af3f1d497e9bdeaf33fc53
SHA512 0a45ddb1269a3cd8a789ce3b9edef67e69c2968480938aac76e9e975c4cce049a42ebbcf0cf4058eef117e1041a1e7a8f15d504c5a9ca95b1b3d014ca91aadbf

/data/user/0/com.example.testdex/app_ttmp/t.jar

MD5 73b590f8bfdd3d17d710d7b4969592e8
SHA1 8b211d7488ba8023c2982d2bc3bb71405245d01b
SHA256 d6901db366b8f33db6af0d33225c19caa6723719264fafd52cda172119e38e4e
SHA512 7e1a5a6b97e7b3b927ac88749dfb0a59e87a00f27693e0c7909d6e6130696f5bc3bc1d26bf5de480ab14550a198c3a3cab8ffdc59cacb8cf9f2ce109ac67487b

/data/data/com.example.testdex/databases/com.example.testdexb-journal

MD5 a5e73ad49d4165ac3c7a70d629c23d6d
SHA1 22ac77d7e600b4e625be1dafb8c75a24eec9769c
SHA256 20974b153ed29909e270fcf2557d089035262bfcfd281c4e48bb1f2374804a1d
SHA512 ee72afcf6e18bc2969bc6413386350e072a6a47d7120d1c442fe36b1d1ed4e9968e61074d5dbe91974be7a65ddd08f7a180df81293097f9683bed8416f246925

/data/data/com.example.testdex/databases/com.example.testdexb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.example.testdex/databases/com.example.testdexb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.example.testdex/databases/com.example.testdexb-wal

MD5 2061eda736697bdb798d11c4d371d818
SHA1 ac2d3466a662041463ef6742e6d4610d38d54474
SHA256 38f8208f2eeb7bbaff1c44cac02265e6c373c81a38a9a6c62099623bb8399fd6
SHA512 63f0e0f28186ae3456ce54edf299db50a5edcf05c08bb56ebd619358da1a4f65b751b13bc6c6173a7b4e7ae4d45dfca9a37077b5c918aa512df61d474cdc59bd

/data/data/com.example.testdex/app_ttmp/oat/t.jar.cur.prof

MD5 9d623f95d518bba2c723127c77468cf9
SHA1 b8498b3cce5f4176e69a7e45a5f25548736df9c0
SHA256 1af92c6d82443939762c21e4a12105e448ab661c69fe2e8c29996d123a2de68c
SHA512 ec02d374e5c9d87aa539478b9f02461bf81d544d814ca96c2cf677806816cb0184fde9fd7897cbf43f86750744a18789d6f70b950cfa135afee76c140956a3dc

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-17 06:46

Reported

2024-06-17 06:49

Platform

android-x64-20240611.1-en

Max time kernel

178s

Max time network

129s

Command Line

com.example.testdex

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.example.testdex/app_ttmp/t.jar N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.example.testdex

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 172.217.16.234:443 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.178.8:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 a.asense.in udp
US 208.100.26.245:80 a.asense.in tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp
GB 142.250.178.14:443 tcp
GB 142.250.187.226:443 tcp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 tcp
GB 216.58.204.78:443 tcp

Files

/data/data/com.example.testdex/100classes.dex

MD5 9c51800c85df096925670e14cb963b9c
SHA1 883a239572e5a286375a8b648e8aba87710fab29
SHA256 29ff829704175170d44532a13dd7d5697612d36094b65ea4cb323bf70c2916b9
SHA512 6d893f3d4e9c3f2bbd5fd1d77f050b93d86dd79f13931c91b7a17b4687f9897c24b88f6d7f597a9a517acbb730e250bb87bad74511d1f3fded9d24f56502ecd4

/data/data/com.example.testdex/app_ttmp/t.jar

MD5 e3447d5435bc33cb03183a57f3474f1e
SHA1 13b41650892f79bff94f3edf8689c3218ba962d0
SHA256 8eabaa1e5b64a753f5aeeee5e02ce584ab8e65c5edfc5e3bdf38f25462024dc9
SHA512 e4e7906b57056c413942ea3f5fa91cf3bc5f508a2e9c8273524c0cf84d7189f26b770f0130f57218ecba8982ac337f46a6d11d10dd8f8dc4f5f0c0fa02447ab6

/data/user/0/com.example.testdex/app_ttmp/t.jar

MD5 4e1e6aa783bb8974b1436f0100156de6
SHA1 8d2d20dbf86960783c889dd9834e281bac850642
SHA256 58665fea32655b49869f9f7e6812f36906cd75dbe4af3f1d497e9bdeaf33fc53
SHA512 0a45ddb1269a3cd8a789ce3b9edef67e69c2968480938aac76e9e975c4cce049a42ebbcf0cf4058eef117e1041a1e7a8f15d504c5a9ca95b1b3d014ca91aadbf

/data/data/com.example.testdex/databases/com.example.testdexb-journal

MD5 8cf7cfde2397d66f7a7f5085eeb2dfba
SHA1 d6747b1f16a837706f960ade75b3930df1b0929b
SHA256 11fdce65e0a5d1fed66a89259fb57e166912d86f129fac216d22d78e4e8782c5
SHA512 62386d7041ddf79edb8b50a0d8e0ee724060365c25054ad230178bede81f51c6e7845674bff30654612e2d77b0a8f88e89ad4cea5b25cb453aac2a4bbfe4ddbc

/data/data/com.example.testdex/databases/com.example.testdexb

MD5 4a2391b074627d5bc3ad85bec0948b41
SHA1 83efc78001abf58f85c06a7d4b883a61b346e9dc
SHA256 fd6873681579d5c0929e0fc2b13d81a31506ea25bde43f548b40abc1d6383dc2
SHA512 e4ac9850e48cf9b1f5730d294ca60721a12c9f16470a99a74eb666bde252fc44bde96e1a656f07e685b932941722108743f6148dd4487a2e3ed868b299e25edc

/data/data/com.example.testdex/databases/com.example.testdexb-journal

MD5 a9e392bfff4d32afa9450f42af3c3802
SHA1 49cad7635a168250cf3f64ac681e9b3de66d0b1b
SHA256 86ae93ec1497f4c566f5dfc2d5b3e794347ab9d51a259299cd4c84c7dc1ad1e8
SHA512 7fc872d87c4f2a592790c2b9f51bf39fb244efaec33fd2854865b9be3f3825210379e9fb345bc5c05e18f0eeb3ce19eb34b4601903544b13bfd9f410b05d0f77

/data/data/com.example.testdex/databases/com.example.testdexb-journal

MD5 5cb7d4a5f54b071a56cb32fb3b69201b
SHA1 e4e501718ddfa030a39d7399ae189de5302f306c
SHA256 1b1ee6e1bde7a621a885856d91e50177f7d121590301e042568493ed0205f89d
SHA512 cb56ae66f6225c1a908d4d38ecf90c5b81f62b03e7f0111648193c23406bc3420442f5bd339b5dc53546de527bd0034728037021968d950675565656d27e89e2

/data/data/com.example.testdex/databases/com.example.testdexb-journal

MD5 ff7ad0f041192c5e4cc78b649da55bcc
SHA1 c5888d39db51c6f330292cb8cbcacbb44858cd38
SHA256 b63157a27f0a00ef46de2bff54d7b63c30a29f30b41161ac408d0f8c02139bad
SHA512 0934ef2b04581687b2ef7942d1dd1f77722d30a1f06c12d83492a95cb7e95678bee48cb968eebcdb52a433784bdb48daea19f1d8b0f78ab8a9c4009dfc70aaad

/data/data/com.example.testdex/app_ttmp/oat/t.jar.cur.prof

MD5 93fcfdc57f4fa611147438f6c100e78a
SHA1 01b5a9635970242328d2b364419b2077831bc0f9
SHA256 067c9f36df8846f70510e21ba698abf328335b085b063b44b660140164e06f56
SHA512 d66454e40dd06b4fd0952b25f5574b4c81c4e2f9bcc9d04055768dce9ac5b49e6abe22155a56e661a479b474657b6d720adf888ed341b078bc6bc5ac3274812a