Malware Analysis Report

2024-10-19 13:11

Sample ID 240618-pse1tatdld
Target bbf5a3042283fb27de1067e4519548de_JaffaCakes118
SHA256 b569285906d15b1929ab18d9fd6dd903893167f9b4992f4f14cb227cccb16f5f
Tags
collection discovery evasion persistence credential_access impact
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

b569285906d15b1929ab18d9fd6dd903893167f9b4992f4f14cb227cccb16f5f

Threat Level: Shows suspicious behavior

The file bbf5a3042283fb27de1067e4519548de_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

collection discovery evasion persistence credential_access impact

Requests cell location

Obtains sensitive information copied to the device clipboard

Requests dangerous framework permissions

Queries information about active data network

Queries the mobile country code (MCC)

Queries the unique device ID (IMEI, MEID, IMSI)

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks memory information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-18 12:35

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-18 12:35

Reported

2024-06-18 12:38

Platform

android-x86-arm-20240611.1-en

Max time kernel

164s

Max time network

131s

Command Line

com.tlightsky.photomaker

Signatures

Requests cell location

collection discovery evasion
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getCellLocation N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.tlightsky.photomaker

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ads.guohead.com udp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp

Files

/data/data/com.tlightsky.photomaker/databases/http_auth.db-journal

MD5 3a376f046e2f6062f2cc6c73ad2aeb46
SHA1 87dac67384e901d874c697996bd2c58267345a12
SHA256 4e033ffa7a1a399a3c34773c7812237e97b9ef86619245f83698297aaa6af917
SHA512 0849eac418117c93e9cd72d86143b2f3a880a48e98f68e4c4a83309ea0532bcdf59d56c6007dd246424263acb5a1deebc14bf16be02d4c4b66c44b2f5d25b623

/data/data/com.tlightsky.photomaker/databases/http_auth.db

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.tlightsky.photomaker/databases/http_auth.db-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.tlightsky.photomaker/databases/http_auth.db-wal

MD5 6f12901103bba802159a8041beaaceee
SHA1 32b8278000ff4c9863ffb9eb88121b033c58d527
SHA256 7fd2ec6f03ccbe54788ca784b590f24bdbe37f7a5b5f1aa81d819a5dd24646cd
SHA512 3a0912d05dd1646d6cd8c4e4e3964320b997c4b30911e963542c26d149061e358b997c4ff51e669f309db4967c16130d8bfa413146cc7dcad24b7f568bd25052

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-18 12:35

Reported

2024-06-18 12:38

Platform

android-x64-20240611.1-en

Max time kernel

165s

Max time network

150s

Command Line

com.tlightsky.photomaker

Signatures

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Requests cell location

collection discovery evasion
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getCellLocation N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.tlightsky.photomaker

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ads.guohead.com udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.201.104:443 ssl.google-analytics.com tcp
GB 142.250.178.10:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
GB 142.250.178.14:443 tcp
GB 216.58.201.98:443 tcp
GB 216.58.213.14:443 tcp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 tcp
US 1.1.1.1:53 www.google.com udp
GB 216.58.212.228:443 www.google.com tcp

Files

/data/data/com.tlightsky.photomaker/databases/http_auth.db-journal

MD5 265b366b62f88f1875849541563572cb
SHA1 cb6215fbef1a7e23475785550fa4e2f655117cdb
SHA256 7379c610085f4a9659c1806e815f12d01c59caeb70be3c7d462fac721b1bd1dd
SHA512 4dedfc48e7f9a77a9d5fb692d53730ee0cd363a356e56f0a4536d5f17e7ccf7cc9724c83a439b48c5252446840e5f9eb051bc922560136c7968072840d2f0920

/data/data/com.tlightsky.photomaker/databases/http_auth.db

MD5 62a3561989ede658cd16cc1f14199c1d
SHA1 6320791cdfd16b26450bf711bd6776d80a396912
SHA256 9ae0206411304ee027e0cfe3b4e6732ced5b423f99c33340dafb68d2b5b215f6
SHA512 c4ef43e702e053ee39153149d1fb11311c57c6ad5393ea905df942df8bcd3625e2224563eb4c35bfc45e140aa09135c5123f48d220fe622d9dcf2a4cdaf5dfe4

/data/data/com.tlightsky.photomaker/databases/http_auth.db-journal

MD5 db08452aefcd51efd568e22f2a572924
SHA1 8a336d3c3bb3fa3318d374550477967918aaa0d7
SHA256 4af2d017238111bb617bb8a2dd681d10db9a5a060438972ecdab1bf700ca9cd2
SHA512 4a726728bed52b01ee31b377001b7dc58203478e9bf890a798fd21a7402515c9d3bf4892bde0cc17188c038f8ce8ae6ddcdfac8afb6342d7ab40da26f0cd4857

/data/data/com.tlightsky.photomaker/databases/http_auth.db-journal

MD5 267668045226e28c034fb57088c387e8
SHA1 89cf9a8ffc2b736c79a0f71cfcf9cf0372407702
SHA256 8ac55cd897682b3b1dc5669276557b84d32ef2b8c34c76a94c6dff5dbeec399e
SHA512 dc44a7311d3cd7f41d883d72b95fc8ce63ee9ebd0cdc926e6fac999c781380cfd0a4b1e44bdba169671cb6cc817fe4603ed45cc4ddefc0863fc50fc927e94755

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-18 12:35

Reported

2024-06-18 12:38

Platform

android-x64-arm64-20240611.1-en

Max time kernel

165s

Max time network

132s

Command Line

com.tlightsky.photomaker

Signatures

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Requests cell location

collection discovery evasion
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getCellLocation N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.tlightsky.photomaker

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ads.guohead.com udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.179.232:443 ssl.google-analytics.com tcp
GB 142.250.187.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 tcp
US 1.1.1.1:53 www.google.com udp
GB 142.250.200.36:443 www.google.com tcp

Files

/data/user/0/com.tlightsky.photomaker/databases/http_auth.db-journal

MD5 27622748eb25d9001644304692af2657
SHA1 93485857d5bf61c92d6b4aac772845c0ebc443c9
SHA256 738133f54d16d7c4bf8687586447d8a3c5d0ce1de07d3773b1937834ef5079b8
SHA512 32b53ee87fdb8af51ac40444ea05c292a80cea997d1ace31f9eb14fd320e11f04ffebe46545620552f1b618d590206f258665081fa16f8eb3f926bc0ba13d81a

/data/user/0/com.tlightsky.photomaker/databases/http_auth.db

MD5 ed710a8968441282a5939621c2771927
SHA1 b6ac28b3e32ea66790c52d6934608b5e71f3d5b8
SHA256 6e7b95a553c2528d6c564296a9e481a6d913074c35011a19f2da8e4807c53bb2
SHA512 547d7c530ad345edf6b880b7685d2ddf3770e595fe3a40041677cb0c296b15ec6d9e8ebf3f2db51624be41766a0af6764512f1c352d5fde22bdea81d7c08e364

/data/user/0/com.tlightsky.photomaker/databases/http_auth.db-journal

MD5 394fd077a7d86b3c37e3222c20ac2ecf
SHA1 0a3aceeb767a98a3002ec959384100d6a2812246
SHA256 3f1fb6f743f4eed05751abb37fa3b6fed564acd8bd814cb023b189f811c7181c
SHA512 b12ddcadab169de211bc9db06c4e91618b7670d7c763558c50084885adcf6dedd7c2f64d037720a99da9ec083b196fe88572da64c23041c524181910ae05b545

/data/user/0/com.tlightsky.photomaker/databases/http_auth.db-journal

MD5 e0b9ef8624f2faf2ec9ca43218005a5c
SHA1 92257bcde9e871c6528e2edf259de12d6084a6b5
SHA256 0ce98507b94dc850316a4b76d94ca2ee517f2753d8b541be3abad0cabf321586
SHA512 4fa1fa4fcebddb9ade920eae2d1bb46e633c645899004a22538aad4e5eb773c42fbacdc7f932a7aa7b87cbff08d4ebdd8261dd2f87f45b04d5b1bddf38feb9ec