Malware Analysis Report

2024-09-09 13:24

Sample ID 240617-w5vqcsyhmg
Target b967c8b2c544ae657ac9cd5aa6785f31_JaffaCakes118
SHA256 44347b360066b6e052252751198637af9508ff9af3525172d6f2e7ef1f9f3fd9
Tags
banker collection credential_access discovery evasion execution impact persistence stealth trojan
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

44347b360066b6e052252751198637af9508ff9af3525172d6f2e7ef1f9f3fd9

Threat Level: Likely malicious

The file b967c8b2c544ae657ac9cd5aa6785f31_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

banker collection credential_access discovery evasion execution impact persistence stealth trojan

Removes its main activity from the application launcher

Queries account information for other applications stored on the device

Obtains sensitive information copied to the device clipboard

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Loads dropped Dex/Jar

Declares services with permission to bind to the system

Queries information about active data network

Queries the mobile country code (MCC)

Queries the unique device ID (IMEI, MEID, IMSI)

Reads information about phone network operator.

Requests dangerous framework permissions

Schedules tasks to execute at a specified time

Registers a broadcast receiver at runtime (usually for listening for system events)

Uses Crypto APIs (Might try to encrypt user data)

Checks memory information

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-17 18:30

Signatures

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-17 18:30

Reported

2024-06-17 18:33

Platform

android-x64-arm64-20240611.1-en

Max time kernel

179s

Max time network

132s

Command Line

com.okasa.pxhiwajrul.aqdmlthzuxqm

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.okasa.pxhiwajrul.aqdmlthzuxqm/app_tfile/fields.jar N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries account information for other applications stored on the device

collection
Description Indicator Process Target
Framework service call android.accounts.IAccountManager.getAccountsAsUser N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Reads information about phone network operator.

discovery

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.okasa.pxhiwajrul.aqdmlthzuxqm

com.okasa.pxhiwajrul.aqdmlthzuxqm:RemoteProcess

com.okasa.pxhiwajrul.aqdmlthzuxqm:guard

Network

Country Destination Domain Proto
GB 142.250.187.206:443 tcp
GB 142.250.187.206:443 tcp
N/A 224.0.0.251:5353 udp
GB 216.58.212.234:443 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.179.232:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 api.adsnative123.com udp
GB 216.58.212.196:443 tcp
GB 216.58.212.196:443 tcp

Files

/data/user/0/com.okasa.pxhiwajrul.aqdmlthzuxqm/app_tfile/fields.jar

MD5 cceb8db3b057d24673d49eda229e9892
SHA1 b18f6353b2156410249079a3b7b86ef3a530e8ee
SHA256 e900cb4c3fe9d8f45196a7457e9645c65b0f3cde820f4161950252cff67a4d97
SHA512 4a42cde3165a706e823caa1362001ed8aa647caf22325a4f2554c64fc4ebcd79afe44fe5eab5474221806f26e7aca9d2901026de6e597ef62fe867f123e4bd57

/data/user/0/com.okasa.pxhiwajrul.aqdmlthzuxqm/app_tfile/fields.jar

MD5 73b11c4c10150bbd4f29ad012dc11dde
SHA1 65c83ad32c29f9811c32eda75d7fcdc92ef42dda
SHA256 52132037e9b950a9cb48d6374ee2c6747a6bfe776e13a726395771f1b40ee9da
SHA512 3e53b1ee22a00e60896da86d2695195e0965c93d190c4d1c0dba2eb5c611d670ee7693a9f8756858255e2b170cb82a753719dd4d6a827af437309b7a1dcc6f01

/data/user/0/com.okasa.pxhiwajrul.aqdmlthzuxqm/databases/tbcom.okasa.pxhiwajrul.aqdmlthzuxqm-journal

MD5 209579d364cadb7ccae7fb028181d905
SHA1 d08088e6ae915da34d637cf38d150bac4d868040
SHA256 96a9697f837be6bb6276eb58b0498422deb4ef7a24425286808f02eb54a98c51
SHA512 38643ce20b79d2190b8d7e5f138c14b425ecd54cd6d444ad6011f5820bb0162c2ab8a9d33b174f90818dd68383968246aa35bcf6e2a5d7058d95015e8292c713

/data/user/0/com.okasa.pxhiwajrul.aqdmlthzuxqm/databases/tbcom.okasa.pxhiwajrul.aqdmlthzuxqm

MD5 ebfd4869bb86abd638bc48b891f3e1c8
SHA1 a27f262fe7a41ec9976d457416447f8b78c80e03
SHA256 5f49bca53de766023101cc1ac8dda79a83c485fce8d9138452b39d1853d2fe0f
SHA512 062fd15e0a34619071834f2d81889e6a100c3a707e53621b16d584182a57c690f6a24a73e19fb77678d857fde477935811a963998a73d7ffe971d6ebd9cafb07

/data/user/0/com.okasa.pxhiwajrul.aqdmlthzuxqm/databases/tbcom.okasa.pxhiwajrul.aqdmlthzuxqm-journal

MD5 22a4197fc353e7d3801f4e46e46d4d01
SHA1 54907050726eb182995ce60dde36e88aeb6fdc19
SHA256 c2602880590b7dcf5febac7e90e690ca261c1953a9580b63459dbffac24489fe
SHA512 9fc21c8d43534911e09027c5fbf151f991fbbb4e66c8f836849320909174a89d06f7a9b1fc5c6157b9aafb5e715c2912a0b9ae5f9f0a1c5b4cbd01072dc64e63

/data/user/0/com.okasa.pxhiwajrul.aqdmlthzuxqm/databases/tbcom.okasa.pxhiwajrul.aqdmlthzuxqm-journal

MD5 6f5974b9b0b251fa99bc2f7467bc2646
SHA1 466252fbcf269c1e600ff09f841ae151452a370d
SHA256 7c08bd706764dbe54ef8ed4c1d48ccdf049b2955fa2d2e563fc59ea7422574fa
SHA512 c0ecf96f026f415cefbd71cd13825497aff9f51fa71bc4adebc6cbab1c82342106ede7bbba02444f814321ea418bae526aa41b335645057c3046efe41f52b3ab

/storage/emulated/0/Download/sdsid

MD5 b8c37e33defde51cf91e1e03e51657da
SHA1 dd01903921ea24941c26a48f2cec24e0bb0e8cc7
SHA256 fe675fe7aaee830b6fed09b64e034f84dcbdaeb429d9cccd4ebb90e15af8dd71
SHA512 e3d0e2ef3cab0dab2c12f297e3bc618f6b976aced29b3a301828c6f9f1e1aabbe6dab06e1f899c9c2ae2ca86caa330115218817f4ce36d333733cb2b4c7afde7

/data/user/0/com.okasa.pxhiwajrul.aqdmlthzuxqm/app_tfile/oat/fields.jar.cur.prof

MD5 0fa22bbe02f26dd41d2687b8560026d0
SHA1 2037c41165c27d194ca6181b096f4962f5134c8b
SHA256 5998062543bcb6bb1e7ec86f87f6ad244968d831e420ee17f67d2601e37f0a8c
SHA512 0334c6f2b10a430b4587c71ed31ce2e98676947b7750b2f53d6bdb6d0cb1552ff4ff247d9288c670196b04403b88fb6d7711f28aac85c29452ecb9808a8e56ca

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-17 18:30

Reported

2024-06-17 18:33

Platform

android-x86-arm-20240611.1-en

Max time kernel

15s

Max time network

131s

Command Line

com.okasa.pxhiwajrul.aqdmlthzuxqm

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.okasa.pxhiwajrul.aqdmlthzuxqm/app_tfile/fields.jar N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries account information for other applications stored on the device

collection
Description Indicator Process Target
Framework service call android.accounts.IAccountManager.getAccountsAsUser N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.okasa.pxhiwajrul.aqdmlthzuxqm

com.okasa.pxhiwajrul.aqdmlthzuxqm:RemoteProcess

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 api.adsnative123.com udp
GB 216.58.201.110:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.204.78:443 android.apis.google.com tcp

Files

/data/data/com.okasa.pxhiwajrul.aqdmlthzuxqm/app_tfile/fields.jar

MD5 cceb8db3b057d24673d49eda229e9892
SHA1 b18f6353b2156410249079a3b7b86ef3a530e8ee
SHA256 e900cb4c3fe9d8f45196a7457e9645c65b0f3cde820f4161950252cff67a4d97
SHA512 4a42cde3165a706e823caa1362001ed8aa647caf22325a4f2554c64fc4ebcd79afe44fe5eab5474221806f26e7aca9d2901026de6e597ef62fe867f123e4bd57

/data/user/0/com.okasa.pxhiwajrul.aqdmlthzuxqm/app_tfile/fields.jar

MD5 73b11c4c10150bbd4f29ad012dc11dde
SHA1 65c83ad32c29f9811c32eda75d7fcdc92ef42dda
SHA256 52132037e9b950a9cb48d6374ee2c6747a6bfe776e13a726395771f1b40ee9da
SHA512 3e53b1ee22a00e60896da86d2695195e0965c93d190c4d1c0dba2eb5c611d670ee7693a9f8756858255e2b170cb82a753719dd4d6a827af437309b7a1dcc6f01

/data/data/com.okasa.pxhiwajrul.aqdmlthzuxqm/databases/tbcom.okasa.pxhiwajrul.aqdmlthzuxqm-journal

MD5 8795321a8165ccffa858f6a16b12fca8
SHA1 9212ba82c8e69858170e179069b2aa86e800183f
SHA256 78c4e87c481d321cc0205b63cc6e25aae9ec8708233cdcc19d1e9398a265ec8c
SHA512 62d0705fb0694e033cacbc3bcb3329ff491d6bf93b8d92be04a8a00c6d598aeb7dbac72bb47a420a563138b52c2c5d83ba8d79290a43a04db21363327694d929

/data/data/com.okasa.pxhiwajrul.aqdmlthzuxqm/databases/tbcom.okasa.pxhiwajrul.aqdmlthzuxqm

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.okasa.pxhiwajrul.aqdmlthzuxqm/databases/tbcom.okasa.pxhiwajrul.aqdmlthzuxqm-wal

MD5 ae32c7a25bcf121bf2a483ba2e2739f0
SHA1 29ca46cf1c674cd2c093981b8875ca59685be28d
SHA256 aaa439aa07d549f5584cc08a0093f93f123866766d9372307eca59f14616c393
SHA512 e80ebb271575715e0f1dc6f104c7210a07735333599ac16b8e7c868240e3c748765f0598c9cafe4978607a575c9c864688cc8a6bd2a236e25037e7290db3a701

/storage/emulated/0/Download/sdsid

MD5 b8c37e33defde51cf91e1e03e51657da
SHA1 dd01903921ea24941c26a48f2cec24e0bb0e8cc7
SHA256 fe675fe7aaee830b6fed09b64e034f84dcbdaeb429d9cccd4ebb90e15af8dd71
SHA512 e3d0e2ef3cab0dab2c12f297e3bc618f6b976aced29b3a301828c6f9f1e1aabbe6dab06e1f899c9c2ae2ca86caa330115218817f4ce36d333733cb2b4c7afde7

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-17 18:30

Reported

2024-06-17 18:33

Platform

android-x64-20240611.1-en

Max time kernel

179s

Max time network

157s

Command Line

com.okasa.pxhiwajrul.aqdmlthzuxqm

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.okasa.pxhiwajrul.aqdmlthzuxqm/app_tfile/fields.jar N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries account information for other applications stored on the device

collection
Description Indicator Process Target
Framework service call android.accounts.IAccountManager.getAccountsAsUser N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.okasa.pxhiwajrul.aqdmlthzuxqm

com.okasa.pxhiwajrul.aqdmlthzuxqm:RemoteProcess

com.okasa.pxhiwajrul.aqdmlthzuxqm:guard

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.204.72:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
US 1.1.1.1:53 api.adsnative123.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
GB 142.250.187.194:443 tcp
GB 172.217.16.228:443 tcp
GB 172.217.16.228:443 tcp
GB 142.250.179.238:443 tcp

Files

/data/data/com.okasa.pxhiwajrul.aqdmlthzuxqm/app_tfile/fields.jar

MD5 cceb8db3b057d24673d49eda229e9892
SHA1 b18f6353b2156410249079a3b7b86ef3a530e8ee
SHA256 e900cb4c3fe9d8f45196a7457e9645c65b0f3cde820f4161950252cff67a4d97
SHA512 4a42cde3165a706e823caa1362001ed8aa647caf22325a4f2554c64fc4ebcd79afe44fe5eab5474221806f26e7aca9d2901026de6e597ef62fe867f123e4bd57

/data/user/0/com.okasa.pxhiwajrul.aqdmlthzuxqm/app_tfile/fields.jar

MD5 73b11c4c10150bbd4f29ad012dc11dde
SHA1 65c83ad32c29f9811c32eda75d7fcdc92ef42dda
SHA256 52132037e9b950a9cb48d6374ee2c6747a6bfe776e13a726395771f1b40ee9da
SHA512 3e53b1ee22a00e60896da86d2695195e0965c93d190c4d1c0dba2eb5c611d670ee7693a9f8756858255e2b170cb82a753719dd4d6a827af437309b7a1dcc6f01

/data/data/com.okasa.pxhiwajrul.aqdmlthzuxqm/databases/tbcom.okasa.pxhiwajrul.aqdmlthzuxqm-journal

MD5 f3b51b6102b4af5a4f984398407ed543
SHA1 5b4472bc1fbe3c9171a42fd0a43ec5527a1a9cba
SHA256 b074ed2a5708a50197c696061c62caa22936bd64cfd0fe8b2364292192b8d776
SHA512 c8f9034c7f7fc860618c9aad47ee57dbef251fc8597d16598ddad053a96bd1b277df4fef96c4a53b965217656995b887e860cc0d6a6d911caf6219ed7d6e5eee

/data/data/com.okasa.pxhiwajrul.aqdmlthzuxqm/databases/tbcom.okasa.pxhiwajrul.aqdmlthzuxqm

MD5 ae8aa93151da27ce1348c21d6ea98a45
SHA1 d187ce29f387717ea0c7d2919a77945a6f04a954
SHA256 b5023c1c2354845e52c945166be1111d7565a000e57ea18d8ce2943c73580e81
SHA512 7bc212292c6dd5192e2d714d1e06c3109f133bf0f5bddb4dd4113a4b9ab3a8db3ba7e1cab4a7da44724361b8d7d53cdde3d50506cf7264fb00d7b4521014c85a

/data/data/com.okasa.pxhiwajrul.aqdmlthzuxqm/databases/tbcom.okasa.pxhiwajrul.aqdmlthzuxqm-journal

MD5 32069943a8c59850caf1c82571204bd9
SHA1 55cf0381265b5d65f2413d7e466daebbee01dec3
SHA256 37fe9d12e5dcd3fa29e12021fed53d48e5bec275ff3c84219e47b0bd084f6a4d
SHA512 5b30f42f1cb78a91c1163b46d09b2ed87d1f770227499a00402069b93edd2bba0ed7a97062a84f5079ba0035fc5e02721fe8d768d14b393c20c9cee256931506

/data/data/com.okasa.pxhiwajrul.aqdmlthzuxqm/databases/tbcom.okasa.pxhiwajrul.aqdmlthzuxqm-journal

MD5 d59f4b131ab76bbe14695379d4240862
SHA1 2470e9cb337d9895328c61c8db3ade18b336b612
SHA256 5de3ea919b7d0c90a9fe5024e290d6bf489f70ba738b00b95cb0b64d3705e5a6
SHA512 d0258707b679891a8c203aaa807563dfb5e7155913c132c645cf24414528fc85be9cd4379a0145bf58bfdd1b379e54e03b8916fe18fa6ecd5125c5f121b88cd6

/storage/emulated/0/Download/sdsid

MD5 b8c37e33defde51cf91e1e03e51657da
SHA1 dd01903921ea24941c26a48f2cec24e0bb0e8cc7
SHA256 fe675fe7aaee830b6fed09b64e034f84dcbdaeb429d9cccd4ebb90e15af8dd71
SHA512 e3d0e2ef3cab0dab2c12f297e3bc618f6b976aced29b3a301828c6f9f1e1aabbe6dab06e1f899c9c2ae2ca86caa330115218817f4ce36d333733cb2b4c7afde7

/data/data/com.okasa.pxhiwajrul.aqdmlthzuxqm/app_tfile/oat/fields.jar.cur.prof

MD5 6de41202d76cfb91657a014430e7f33d
SHA1 1c066a98ee1dae3493881522b42a6978ef72ffee
SHA256 51491488aa5999f64c4d74c50676559497e9890b2a3978cdc8f07dc782e945ec
SHA512 765ef4f4ca7a832af8677b8cb38b705a5cf809b6d321f7d86bcb03471d5e55d8c9b8dc04dbad9f89b10febd5e87b29d29e1bd36fa91259ba00ea863ad1225236