Malware Analysis Report

2025-01-19 04:53

Sample ID 240618-gxhcqs1apg
Target bb0f71e73ef3920d6884d77c1e795b50_JaffaCakes118
SHA256 49e2a94a4ee06a02185d28bbc3b6d93613887604c6193fcdc82022bacaafd347
Tags
banker collection discovery evasion impact persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

49e2a94a4ee06a02185d28bbc3b6d93613887604c6193fcdc82022bacaafd347

Threat Level: Shows suspicious behavior

The file bb0f71e73ef3920d6884d77c1e795b50_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

banker collection discovery evasion impact persistence

Loads dropped Dex/Jar

Reads the content of SMS inbox messages.

Requests cell location

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Reads the content of the SMS messages.

Queries information about the current Wi-Fi connection

Queries the mobile country code (MCC)

Requests dangerous framework permissions

Queries information about active data network

Registers a broadcast receiver at runtime (usually for listening for system events)

Uses Crypto APIs (Might try to encrypt user data)

Checks memory information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-18 06:10

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to monitor incoming MMS messages. android.permission.RECEIVE_MMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to request installing packages. android.permission.REQUEST_INSTALL_PACKAGES N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-18 06:10

Reported

2024-06-18 06:14

Platform

android-x86-arm-20240611.1-en

Max time kernel

26s

Max time network

179s

Command Line

com.bua.tsiodu

Signatures

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.bua.tsiodu/files/ne/pgubz.jar N/A N/A
N/A /data/user/0/com.bua.tsiodu/files/ne/pgubz.jar N/A N/A
N/A /data/user/0/com.bua.tsiodu/files/Pdd.apk N/A N/A
N/A /data/user/0/com.bua.tsiodu/files/Pdd.apk N/A N/A
N/A /data/user/0/com.bua.tsiodu/app_dex/utopay.jar N/A N/A
N/A /data/user/0/com.bua.tsiodu/app_dex/utopay.jar N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Reads the content of SMS inbox messages.

collection
Description Indicator Process Target
URI accessed for read content://sms/inbox N/A N/A

Reads the content of the SMS messages.

collection
Description Indicator Process Target
URI accessed for read content://sms/ N/A N/A

Requests cell location

collection discovery evasion
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getCellLocation N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.bua.tsiodu

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.bua.tsiodu/files/ne/pgubz.jar --output-vdex-fd=44 --oat-fd=45 --oat-location=/data/user/0/com.bua.tsiodu/files/ne/oat/x86/pgubz.odex --compiler-filter=quicken --class-loader-context=&

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.bua.tsiodu/files/Pdd.apk --output-vdex-fd=60 --oat-fd=65 --oat-location=/data/user/0/com.bua.tsiodu/files/oat/x86/Pdd.odex --compiler-filter=quicken --class-loader-context=&

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.bua.tsiodu/app_dex/utopay.jar --output-vdex-fd=76 --oat-fd=77 --oat-location=/data/user/0/com.bua.tsiodu/app_dex/oat/x86/utopay.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 app.jtmtht.com udp
US 104.155.138.21:89 app.jtmtht.com tcp
US 107.178.223.183:89 app.jtmtht.com tcp
US 107.178.223.183:89 app.jtmtht.com tcp
US 107.178.223.183:89 app.jtmtht.com tcp
GB 216.58.204.78:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp
US 107.178.223.183:89 app.jtmtht.com tcp
US 107.178.223.183:89 app.jtmtht.com tcp
US 107.178.223.183:89 app.jtmtht.com tcp
CN 120.55.89.238:8977 tcp
US 1.1.1.1:53 sdk.qipagame.cn udp
US 1.1.1.1:53 jx.hamofo.com udp
US 1.1.1.1:53 xiafa.hamofo.com udp
US 1.1.1.1:53 vpay.api.eerichina.com udp

Files

/data/data/com.bua.tsiodu/files/ne/pgubz.jar

MD5 24e1089ee81b46d4dd420b71cc05192e
SHA1 e4ef2dad98853af0306782470d2ff07dd1043c0f
SHA256 b51a211f76ab74078b459dbfd684d23b7cb85cbfe7e44667df2382ef252b96ab
SHA512 b7b416909b7c3ad6c5c3ff46b14ca3107e3fa69266804ce87c288e3985c29e5e5a21f6de0c322923966018eeb16df4fe5e45274d42b60768ba3fb0e265e1408c

/data/user/0/com.bua.tsiodu/files/ne/pgubz.jar

MD5 94721020cc4ba348a6c4a23cb6d0d365
SHA1 ea13ae50eca0c0595f5b33b32a0477e7c2bdc4f6
SHA256 b3e6668d842599791db9f17b4c6583f6ab6cde3be1e921ea293dc030bd1d945d
SHA512 fec1a3517c0b2aba64f910e713f7290316d5d1e6fa0de73164a7c19fd6aa613784bc836bcc998464b78d0dc9f7718eadad7dba6d0b10a21812e092c925faead8

/data/user/0/com.bua.tsiodu/files/ne/pgubz.jar

MD5 c577eb0a8e7ab62269f74d76d3b8ead5
SHA1 6734a417c0e08c2adcab030f1e9978448f29407f
SHA256 a678c266f2b3f60c86fa4920e584c3d6e45ef3b4c88419101762cd29204de055
SHA512 589547d7b11c762cdd7cb65d3349aa388aad7b951b95cbdc35a223c242a231e1bad76b2ad4ad43f46244fb762878b9cb33a8be1985e3b07da7e9f372c738cd8b

/data/data/com.bua.tsiodu/files/Pdd.apk

MD5 e8fbf92c750dbd6fb316be82a6b7b7ae
SHA1 2a6ae9568698807cacc8cf4349556446c996b136
SHA256 2a3cb93d0ca14a1d0b0820c2a26df502a461fb2546ef4587524087c130553f10
SHA512 7848191878b5b8ba2d5020c7be953e70ccc4d392d29e400a65a57cd3731604933125de1d81b3732d251b3450fd4766a814ccd01f3975beda2499a9ba585a26e0

/data/user/0/com.bua.tsiodu/files/Pdd.apk

MD5 a4237ef36f11c2db307f6d9701da0062
SHA1 5d11008a4b9275034db8904e538f7115a429ef0d
SHA256 32f697f7444c79efe23be55fdcdab52c8e6f5cd43474cd1735602675feb5639e
SHA512 6921b3cbb4e6a062eb9408c06e46e6d6cd7554f6e485b8f6275d8df3b7a8d23b26220c0cb979d3fe919fb6622d5d49160769b0567eebe61488cc4c7708f3b34d

/data/user/0/com.bua.tsiodu/files/Pdd.apk

MD5 b91783059376e2bebfd7c24802289350
SHA1 9e0f855404908f993a3beb146e7a4e83789674bd
SHA256 46245d65e1d96038918f77ed8412bcde6a72b513c94a72369a751251f568e73c
SHA512 c50af3f34a519fdb34aa9be70128c55c57df169f8112887f17f9dece581a15cd9b6702939ee4f77370bb33a5d2fe449610c42e699008d4233344d406c3563f30

/data/data/com.bua.tsiodu/databases/wochi_v4.db-journal

MD5 78e0f33d94b5d3279d89b592f3753645
SHA1 7ca66f1ef8c5d82d17b81ab029afccea1bd70b24
SHA256 c90bffb20fef3d4bff043238680fbaf47d747b4cfae50f9bd6127b533c40e0ed
SHA512 056023c8e367e17bc7e6e3c64fb227445ff3ad853f5eccdebc844ec421bf8f5b37238483a81b07a6874e5cc216e41c4d26eae81f78d9668e4c7d030fb1736f1c

/data/data/com.bua.tsiodu/databases/wochi_v4.db

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.bua.tsiodu/databases/wochi_v4.db-shm

MD5 cf845a781c107ec1346e849c9dd1b7e8
SHA1 b44ccc7f7d519352422e59ee8b0bdbac881768a7
SHA256 18619b678a5c207a971a0aa931604f48162e307c57ecdec450d5f095fe9f32c7
SHA512 4802861ea06dc7fb85229a3c8f04e707a084f1ba516510c6f269821b33c8ee4ebf495258fe5bee4850668a5aac1a45f0edf51580da13b7ee160a29d067c67612

/data/data/com.bua.tsiodu/databases/wochi_v4.db-wal

MD5 49a527aaeaf6840fdee6d0e3db66454f
SHA1 67716df286c789a99b5a8967419e34fed3e0f3ad
SHA256 60a109bc1cd9dd3430e2d1f503b7a27861631610c83e147f256437e5f6ed7316
SHA512 27416c96dddc61e481c4ec4d8fba40e9c8acecaa955c3553dfee04b511c3087cac51f70a06d31bf482db2eda272c0b849aaf2d0dbed6fd0242aacb1898a6d611

/data/data/com.bua.tsiodu/app_dex/utopay.jar

MD5 eb6089c1acfa9f12535e533aebee845e
SHA1 165e39ee07dcd9ed00fc2dc1ff466bc1d6b813c9
SHA256 b825cde84e3dddfc147c71265d2259c422d51a7e56d1dcdba1321e3119b1df07
SHA512 5b1bc26bcbcf05fc331865fb4dd572b673a52650d68ab4d9b028ea15219e0d93c1ec17996953436801913388d78e25c67ea33aa93544d65e96a799eb06cc70f5

/data/data/com.bua.tsiodu/files/log.dat

MD5 ff9229f8e7c92d44d48e25206d43b021
SHA1 be3d75050c16c5b7484652ba292fdd6510f205d3
SHA256 77fc3599be409f7e73e643de843c0ebcfa20662964c498fc59e245c7f5e003a2
SHA512 be7b3aa8d670a2873c6b7bfd4ca93121fd2450723cbbc36d9d06d152fafa3ce90451f0a60ab56bc96bccb81cf5aae0167b404073db14dc17b9513ac73d455c58

/data/user/0/com.bua.tsiodu/app_dex/utopay.jar

MD5 5220524411d0bacd600da60814d1ee9f
SHA1 fef7210ff44e757328bc0ff7aae7bb2191cbf634
SHA256 6286a800597b845785eb664710253ebd20771737dddd5b80067e0e9d37c804b2
SHA512 b2d8af5019c176d682634747d83320e609fb6122ef850f4069a0c78c2415d242087099cf60ecb03039a9ab71902a4e3b22e9cf144de89e506991fb93280f6a5f

/data/user/0/com.bua.tsiodu/app_dex/utopay.jar

MD5 3b8bb9a8679ac8c24e8d179fc5bae999
SHA1 e6ea7a1095524087f481ba04321c4cb6fd2426f3
SHA256 83c996c0d067b5f516897480f427dfffdcfb49ab7654dac9b805376bbd49e1db
SHA512 abf1cbed7a8cf4a29d7a32a83f15aa0a6c9e2be8484c2dd8d9bf16a76e337b17b9c05efa0773598806b3d3da4fe3a9217b583abb9aaf5e3dc054dc77b10cae63

/data/data/com.bua.tsiodu/files/yl_plugin.apk

MD5 5a4c666b43ee7f2b6995aaf3527e4a4d
SHA1 b205bcb022797f3b16635db139c7524c0c388adc
SHA256 05eb3e1ca331b8c6a1f60f92abb2bddbac54a7b2c229ac07bf26c756297fe72a
SHA512 c84fceddbf9928110fc3b85e0989b9cedd06383007ff99dea5a25096d8f892ab52d30ed9b52b72211449041f1274ead85bb42929ec269b58b6b0e616a8545e17

/data/data/com.bua.tsiodu/databases/740410100062013-journal

MD5 56952b08381830234bb9f72ffae260aa
SHA1 a93ede1a4ea925d138560503abe8fa70c0c06929
SHA256 2e52a32b811058f3bcbbfd6a175a273ef4d6bb4badaf28f023ae22736db1978b
SHA512 c43ef8008521038fdef66ba845e623f06f27e3223c620cfc1a9c6a494e27a352dde908566b9aeb9fe77e70fbc63a1d7d4c956daf0f9fe1d17c32483318f34124

/data/data/com.bua.tsiodu/databases/740410100062013-wal

MD5 b9d170aaf55b00b67b7c06480d8d6b8e
SHA1 24a6f9c8a101e2da9e6aad5b1d551306024f6996
SHA256 095472f6dde50f17fd9a852eff1d5a26f3febc1349b2b112301777515b337670
SHA512 31294be561da711603e691e91fcf6891445c9308e51696a9b1928e02a9f12d6cc2d85a3ec56e7671b5c2699069bbd456b5a78e4e18e89a9ee272055774252a54