Malware Analysis Report

2024-10-19 13:11

Sample ID 240617-znqa4atdrd
Target b9fd506fe0ec0cc76ec63cd9a6aad29e_JaffaCakes118
SHA256 10e203983fd4f9eeb8c3bb8cef97ae9a58ba2ebf90cc5d9408861a37da38c31c
Tags
discovery evasion impact persistence collection credential_access
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

10e203983fd4f9eeb8c3bb8cef97ae9a58ba2ebf90cc5d9408861a37da38c31c

Threat Level: Shows suspicious behavior

The file b9fd506fe0ec0cc76ec63cd9a6aad29e_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery evasion impact persistence collection credential_access

Obtains sensitive information copied to the device clipboard

Loads dropped Dex/Jar

Requests dangerous framework permissions

Queries information about active data network

Queries the mobile country code (MCC)

Listens for changes in the sensor environment (might be used to detect emulation)

Registers a broadcast receiver at runtime (usually for listening for system events)

Uses Crypto APIs (Might try to encrypt user data)

Checks memory information

Checks CPU information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-17 20:52

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-17 20:52

Reported

2024-06-17 20:55

Platform

android-x86-arm-20240611.1-en

Max time kernel

97s

Max time network

131s

Command Line

com.armouredboar.MonsterShuffleFree

Signatures

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.armouredboar.MonsterShuffleFree/cache/ads3116740175779475052.jar N/A N/A
N/A /data/user/0/com.armouredboar.MonsterShuffleFree/cache/ads3116740175779475052.jar N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Listens for changes in the sensor environment (might be used to detect emulation)

evasion
Description Indicator Process Target
Framework API call android.hardware.SensorManager.registerListener N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.armouredboar.MonsterShuffleFree

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.armouredboar.MonsterShuffleFree/cache/ads3116740175779475052.jar --output-vdex-fd=116 --oat-fd=117 --oat-location=/data/user/0/com.armouredboar.MonsterShuffleFree/cache/oat/x86/ads3116740175779475052.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 media.admob.com udp
BE 108.177.15.113:80 media.admob.com tcp
GB 216.58.204.78:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.16.232:443 ssl.google-analytics.com tcp

Files

/data/data/com.armouredboar.MonsterShuffleFree/cache/ads3116740175779475052.jar

MD5 d80f6d032778b02d10a9c9a2f1a24714
SHA1 e34d4ea9618b1b499b65032723ea029ab3998500
SHA256 ee2de01a238f9e1834f9f9934dd1f5b267bdf9747965641d2fd636d740041f9b
SHA512 34fa52d41831142f86999ac407aafeb2b69bb4cd45ada9f739be84c80deb0414d11d6784f385eec287e4f6b5bdf29ba1c9a6a77c07707d66a73c60eb389136e1

/data/user/0/com.armouredboar.MonsterShuffleFree/cache/ads3116740175779475052.jar

MD5 12670a32ad1380c9021a9e74aa5f2281
SHA1 7e8caf0c7a4d78452efb90958e8ce1aae5148e44
SHA256 f3c142f78cadcb57d7da3d8e4dc5f8c7b05377417c639059910696c844afc1f9
SHA512 1277dde373cab02d5df62732834adb79f8dbf1d1a9ac56b5b348e354317fadc24fe20b5ebdd1ecc28f8fc98dcdff807d2839bef75ef7d871e976e68a95851b06

/data/user/0/com.armouredboar.MonsterShuffleFree/cache/ads3116740175779475052.jar

MD5 6175efac331cdc88f352d62e1e1b596d
SHA1 d2e2e8ccdd8ca885dfa83f28208459ac60e9ec1a
SHA256 3d3736a254adb3086b9cb9017b52fc7dbcaba3043e284ebf90bf27c0fa6b74e3
SHA512 c5ba4e091370597ff6780beac694a37b1fd9400a21f20b5a388a62a04253054ed91ffb14d2e84c233b7e4760f6f92fa324a98b88cf90dd868b4ad7f6db3e49f8

/data/data/com.armouredboar.MonsterShuffleFree/files/gaClientId

MD5 9b0bb20d7c417c0f2a79dd82d2509b5e
SHA1 fc1036c39c4e0430dd4f4b061183e49a6ab70a36
SHA256 131d3bf56dc6662888ae75e7c14ff51bf153ef79b10060a7808e1919332bb3f7
SHA512 45bfbc3a17d7a6b7b8bdbe83923f2dcef050625d87d2fa183ae21a9ec182918bc2d2d049b06b172b45c01c51d627a7f4c8764905b78096c95d547a6684887dbe

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-17 20:52

Reported

2024-06-17 20:55

Platform

android-x64-arm64-20240611.1-en

Max time kernel

145s

Max time network

133s

Command Line

com.armouredboar.MonsterShuffleFree

Signatures

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.armouredboar.MonsterShuffleFree/cache/ads7963475580617801411.jar N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Listens for changes in the sensor environment (might be used to detect emulation)

evasion
Description Indicator Process Target
Framework API call android.hardware.SensorManager.registerListener N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.armouredboar.MonsterShuffleFree

Network

Country Destination Domain Proto
GB 172.217.16.238:443 tcp
N/A 224.0.0.251:5353 udp
GB 172.217.16.238:443 tcp
GB 216.58.201.106:443 tcp
GB 216.58.201.106:443 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.178.8:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 media.admob.com udp
BE 142.251.173.113:80 media.admob.com tcp
GB 172.217.169.68:443 tcp
GB 172.217.169.68:443 tcp

Files

/data/user/0/com.armouredboar.MonsterShuffleFree/cache/ads7963475580617801411.jar

MD5 d80f6d032778b02d10a9c9a2f1a24714
SHA1 e34d4ea9618b1b499b65032723ea029ab3998500
SHA256 ee2de01a238f9e1834f9f9934dd1f5b267bdf9747965641d2fd636d740041f9b
SHA512 34fa52d41831142f86999ac407aafeb2b69bb4cd45ada9f739be84c80deb0414d11d6784f385eec287e4f6b5bdf29ba1c9a6a77c07707d66a73c60eb389136e1

/data/user/0/com.armouredboar.MonsterShuffleFree/cache/ads7963475580617801411.jar

MD5 12670a32ad1380c9021a9e74aa5f2281
SHA1 7e8caf0c7a4d78452efb90958e8ce1aae5148e44
SHA256 f3c142f78cadcb57d7da3d8e4dc5f8c7b05377417c639059910696c844afc1f9
SHA512 1277dde373cab02d5df62732834adb79f8dbf1d1a9ac56b5b348e354317fadc24fe20b5ebdd1ecc28f8fc98dcdff807d2839bef75ef7d871e976e68a95851b06

/data/user/0/com.armouredboar.MonsterShuffleFree/files/gaClientId

MD5 b2b333f12eb6067e5f8d512dd78cc078
SHA1 28338b7c3f81b63058e3aad3efe13b824e5808f3
SHA256 fddfab47f3fdd1bce9cc0f83766031359b047655a9bbe8a7c1e828654edee1f7
SHA512 53f5113464dfb23cb2e39136d4fbe8999e2df6f63c2560c6879e9f42ff39bed643de251960f82fa86ba215105dc6e70b1f865fa3bd7d095ff04a40afac645a47