Malware Analysis Report

2024-10-19 13:10

Sample ID 240618-mlkavatemq
Target bb78acf53f8b67a05b1d5eba45f90df3_JaffaCakes118
SHA256 85b943c799ad24ae3f5c45184e96d7d90898e8f0980ee170c0ffa2e6b111ba86
Tags
discovery impact persistence collection credential_access
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

85b943c799ad24ae3f5c45184e96d7d90898e8f0980ee170c0ffa2e6b111ba86

Threat Level: Shows suspicious behavior

The file bb78acf53f8b67a05b1d5eba45f90df3_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery impact persistence collection credential_access

Obtains sensitive information copied to the device clipboard

Queries the unique device ID (IMEI, MEID, IMSI)

Requests dangerous framework permissions

Queries information about the current Wi-Fi connection

Queries the mobile country code (MCC)

Uses Crypto APIs (Might try to encrypt user data)

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks memory information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-18 10:33

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-18 10:33

Reported

2024-06-18 10:36

Platform

android-x86-arm-20240611.1-en

Max time kernel

133s

Max time network

131s

Command Line

com.xywxzyb2.ucttxs01

Signatures

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.xywxzyb2.ucttxs01

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 log.tbs.qq.com udp
HK 129.226.106.211:80 log.tbs.qq.com tcp
US 1.1.1.1:53 mixsdk.xindongyx.com udp
CN 123.206.219.199:443 mixsdk.xindongyx.com tcp
CN 123.206.219.199:80 mixsdk.xindongyx.com tcp
GB 142.250.187.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.14:443 android.apis.google.com tcp

Files

/storage/emulated/0/Android/data/com.xywxzyb2.ucttxs01/files/tbslog/tbslog.txt

MD5 0aefbfaba846d47e01e38cc36de9540a
SHA1 ed80fa89737b3f256b3b763eefba0fe9dcd9cfe2
SHA256 286897c3f2ebfba1baa26509c0e7d9da170aedfaee94600d4523ea33ec8a2836
SHA512 61801d478dba92ffc9559a2cf8572eebe04f89878f231594949adcd42500ea71b025342663a717aeb7f60d052647cb44ef3a6add99a31a66710f268752f4f0c5

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-18 10:33

Reported

2024-06-18 10:36

Platform

android-x64-20240611.1-en

Max time kernel

140s

Max time network

131s

Command Line

com.xywxzyb2.ucttxs01

Signatures

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.xywxzyb2.ucttxs01

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 log.tbs.qq.com udp
HK 129.226.107.80:80 log.tbs.qq.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.187.232:443 ssl.google-analytics.com tcp
GB 172.217.169.42:443 tcp
US 1.1.1.1:53 mixsdk.xindongyx.com udp
CN 123.206.219.199:80 mixsdk.xindongyx.com tcp
CN 123.206.219.199:443 mixsdk.xindongyx.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp
GB 142.250.187.206:443 tcp
GB 142.250.187.194:443 tcp
GB 172.217.16.228:443 tcp
GB 172.217.16.228:443 tcp
GB 142.250.179.238:443 tcp

Files

/storage/emulated/0/Android/data/com.xywxzyb2.ucttxs01/files/tbslog/tbslog.txt

MD5 9543925c9ea1805a5f61a26a86725d4d
SHA1 fd79a11506fc7726811e0830429dc248ee1ecd14
SHA256 c2612ab5ad676d3a2d5e5c5dbdaf96d083cb63d53c824af8ea91f810c982eac5
SHA512 21c0945aadf4b34bb0147dc7ec3b70ad40957fdb042f0f6ed52b9fa2c69d4662a4b05f4a29e792544ee773d8a854ebb75f598efce140b40d1afe58975770751e

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-18 10:33

Reported

2024-06-18 10:36

Platform

android-x64-arm64-20240611.1-en

Max time kernel

172s

Max time network

132s

Command Line

com.xywxzyb2.ucttxs01

Signatures

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.xywxzyb2.ucttxs01

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 log.tbs.qq.com udp
HK 129.226.106.211:80 log.tbs.qq.com tcp
HK 129.226.106.211:80 log.tbs.qq.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.204.72:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 mixsdk.xindongyx.com udp
CN 123.206.219.199:443 mixsdk.xindongyx.com tcp
CN 123.206.219.199:80 mixsdk.xindongyx.com tcp
GB 142.250.187.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.179.238:443 android.apis.google.com tcp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 tcp

Files

/storage/emulated/0/Android/data/com.xywxzyb2.ucttxs01/files/tbslog/tbslog.txt (deleted)

MD5 58e1e0a6220c04d985226492d35490b8
SHA1 b81d451c410fbeaaf1ee47d692dc2b514ff52983
SHA256 eb1e81427706901333cce3bbc749c701e55635cedcde5a0c9b2b4d6f81da750d
SHA512 8e1f88137b81e5c0f97653d76ca731e7f13a1c65689a40f58817c46f7ea18f509810c24140a2225e229b5e095e1a5bbd8357b699bdb1d716abb93e763fbed9c0