Malware Analysis Report

2024-10-19 13:10

Sample ID 240618-qn5w4szblm
Target bc2aaf24c37a7b2b3ce3873bf503f519_JaffaCakes118
SHA256 2703f9dad65ff832293601209c0a5b448052f05641a3c64fe6dbf0febe5a5f1a
Tags
collection discovery evasion impact persistence credential_access
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

2703f9dad65ff832293601209c0a5b448052f05641a3c64fe6dbf0febe5a5f1a

Threat Level: Shows suspicious behavior

The file bc2aaf24c37a7b2b3ce3873bf503f519_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

collection discovery evasion impact persistence credential_access

Loads dropped Dex/Jar

Obtains sensitive information copied to the device clipboard

Queries information about the current nearby Wi-Fi networks

Requests cell location

Queries information about the current Wi-Fi connection

Queries the mobile country code (MCC)

Queries the unique device ID (IMEI, MEID, IMSI)

Reads information about phone network operator.

Requests dangerous framework permissions

Queries information about active data network

Uses Crypto APIs (Might try to encrypt user data)

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks memory information

Checks CPU information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-18 13:25

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-18 13:25

Reported

2024-06-18 13:28

Platform

android-x86-arm-20240611.1-en

Max time kernel

7s

Max time network

132s

Command Line

com.yanyan.cputemp

Signatures

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.yanyan.cputemp/files/__pasys_remote_banner.jar N/A N/A
N/A /data/user/0/com.yanyan.cputemp/files/__pasys_remote_banner.jar N/A N/A

Queries information about the current nearby Wi-Fi networks

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getScanResults N/A N/A

Requests cell location

collection discovery evasion
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getCellLocation N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.yanyan.cputemp

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.yanyan.cputemp/files/__pasys_remote_banner.jar --output-vdex-fd=45 --oat-fd=46 --oat-location=/data/user/0/com.yanyan.cputemp/files/oat/x86/__pasys_remote_banner.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 hmma.baidu.com udp
HK 103.235.46.195:80 hmma.baidu.com tcp
US 1.1.1.1:53 mobads.baidu.com udp
CN 182.61.200.101:80 mobads.baidu.com tcp
CN 182.61.200.101:80 mobads.baidu.com tcp
CN 182.61.200.101:80 mobads.baidu.com tcp
GB 216.58.204.78:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp

Files

/data/data/com.yanyan.cputemp/files/__pasys_remote_banner.tmp.jar

MD5 289aa52188b4a1eb9a3a5904b0638ada
SHA1 3efe010f8832bc5ee7df88152e01ef1f446663c4
SHA256 947be2e29c43127ccaa6ab05b2600405cebd5aef985204a4cf2e17ecf7cfaa91
SHA512 34078ccf3fc42c63f338bb9f62eb139d953ad9e0e5fd813465d9f4d37f708fc20d7309897919cdf6be37acbda2669fd6d32ff4a233279e2cd6e2a0ba62cdc47d

/data/user/0/com.yanyan.cputemp/files/__pasys_remote_banner.jar

MD5 96d208e818748da0a0510994de5be961
SHA1 8f093544c3ce04ef1dc323730d2937f889c911c6
SHA256 9fab83f42fe2573d80524e4b91caffaee37f2ca37f56f6a97a2c626fb7927215
SHA512 55a2b0c3a86ed751f31f96774aadebcf9068a4c3b828f0e1f4e30f0a5acd7a66ef14df7361ad2d9cccfe8f560db8e8cb2c67d9a459a75d24fbf762528f32bbf8

/data/user/0/com.yanyan.cputemp/files/__pasys_remote_banner.jar

MD5 981c6cf9b7df281081e05c808cf0afd5
SHA1 48aabea85a9693f461f87e1bdb9f8e76a8b45c1b
SHA256 639cf990e6246c0418adf545481ca1549a3ac1b443bb3ad3f5a3552400e41f0e
SHA512 b6e668c33021b64adaa304a4e085a2c5c88c16c99e811a4c768534fd67cd6cc380e125e960de511c3abc33c7b842be1441a7dd48aff83c2928d62ebaf65f6adc

/storage/emulated/0/baidu/.cuid

MD5 86a80106dc142fdd41c9ab946761cd2d
SHA1 17c33ad464b42da35f824297fa5eb2892fcffc60
SHA256 f2451ba0b742dacc9ae7c38395b93182343575ca8e02fe8a6a3cbaf0094d1de9
SHA512 dc55bc19fc8baa4ac7dd09a6f1fcd2d5ef6dae4c9cc09621637bf732975f4d491c22acbdfcf281656f99126f19ded06318b9a1dcd3d93e51692ee812323ca862

/data/data/com.yanyan.cputemp/files/__local_stat_cache.json

MD5 2d805b13f2f28dc3ca9bbcc000f49bb5
SHA1 9eac165b4d81258fd3967cde5cc53b53b1dabcb1
SHA256 c8a6624f390568f0ddcb9841336aec6a564460fdaf6624e562b32935b8956f19
SHA512 5db8c57bab36bcf9db698c1dce70318cbffc156dd1d1c1e09e5b7ba60aff07b598ebbf26c4bd8a2b03bd6e59ef2dde2d944a22a8d8a19ecc8378e83afb7c83b0

/data/data/com.yanyan.cputemp/files/__local_except_cache.json

MD5 830ae28df7aa22292d6009eb85b0a766
SHA1 e610e892f9a3ce25357937189145d2a664a579ea
SHA256 e4ee4f305923a0214d04fba68dc3974aee2b190b44c119b059b6b26c1f9e1845
SHA512 b5a63174bc8af64ecfa904bd6dbc1e63b7957e70835968a48495a7f101a9a493c3fde0ed106da430dbf7055295376223a55d6a9555bf35263a6c329fcb0d86f3

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-18 13:25

Reported

2024-06-18 13:28

Platform

android-x64-20240611.1-en

Max time kernel

7s

Max time network

131s

Command Line

com.yanyan.cputemp

Signatures

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.yanyan.cputemp/files/__pasys_remote_banner.jar N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries information about the current nearby Wi-Fi networks

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getScanResults N/A N/A

Requests cell location

collection discovery evasion
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getCellLocation N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.yanyan.cputemp

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.178.10:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
GB 216.58.213.14:443 tcp
US 1.1.1.1:53 mobads.baidu.com udp
CN 182.61.200.101:80 mobads.baidu.com tcp
CN 182.61.200.101:80 mobads.baidu.com tcp
CN 182.61.200.101:80 mobads.baidu.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.200.40:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 hmma.baidu.com udp
HK 103.235.46.195:80 hmma.baidu.com tcp
GB 142.250.178.14:443 tcp
GB 216.58.201.98:443 tcp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 tcp

Files

/data/data/com.yanyan.cputemp/files/__pasys_remote_banner.tmp.jar

MD5 289aa52188b4a1eb9a3a5904b0638ada
SHA1 3efe010f8832bc5ee7df88152e01ef1f446663c4
SHA256 947be2e29c43127ccaa6ab05b2600405cebd5aef985204a4cf2e17ecf7cfaa91
SHA512 34078ccf3fc42c63f338bb9f62eb139d953ad9e0e5fd813465d9f4d37f708fc20d7309897919cdf6be37acbda2669fd6d32ff4a233279e2cd6e2a0ba62cdc47d

/data/user/0/com.yanyan.cputemp/files/__pasys_remote_banner.jar

MD5 96d208e818748da0a0510994de5be961
SHA1 8f093544c3ce04ef1dc323730d2937f889c911c6
SHA256 9fab83f42fe2573d80524e4b91caffaee37f2ca37f56f6a97a2c626fb7927215
SHA512 55a2b0c3a86ed751f31f96774aadebcf9068a4c3b828f0e1f4e30f0a5acd7a66ef14df7361ad2d9cccfe8f560db8e8cb2c67d9a459a75d24fbf762528f32bbf8

/data/data/com.yanyan.cputemp/files/__local_except_cache.json

MD5 9d2c87eaf9bf13aa8e83f1a15c51e21a
SHA1 8b7f0f9e0252513f491e134c5da5d08caec2365e
SHA256 2297950287f8cfdd8fd30419fa43ae55afa519b7cb7bcd5ced2a7302eab0c1e0
SHA512 b8cdcb85efb0cdc6c008732c6c0561485b91e35565e7d1b6af22823fd326f9970f427330e1e60e58931e20062b8891c4bfa0b265551a0fe512e79d73ffd3bad7

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-18 13:25

Reported

2024-06-18 13:28

Platform

android-x64-arm64-20240611.1-en

Max time kernel

7s

Max time network

133s

Command Line

com.yanyan.cputemp

Signatures

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.yanyan.cputemp/files/__pasys_remote_banner.jar N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Requests cell location

collection discovery evasion
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getCellLocation N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.yanyan.cputemp

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 216.58.204.78:443 tcp
GB 216.58.204.78:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
US 1.1.1.1:53 mobads.baidu.com udp
CN 182.61.200.101:80 mobads.baidu.com tcp
CN 182.61.200.101:80 mobads.baidu.com tcp
CN 182.61.200.101:80 mobads.baidu.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.187.200:443 ssl.google-analytics.com tcp
GB 142.250.178.4:443 tcp
GB 142.250.178.4:443 tcp

Files

/data/user/0/com.yanyan.cputemp/files/__pasys_remote_banner.tmp.jar

MD5 289aa52188b4a1eb9a3a5904b0638ada
SHA1 3efe010f8832bc5ee7df88152e01ef1f446663c4
SHA256 947be2e29c43127ccaa6ab05b2600405cebd5aef985204a4cf2e17ecf7cfaa91
SHA512 34078ccf3fc42c63f338bb9f62eb139d953ad9e0e5fd813465d9f4d37f708fc20d7309897919cdf6be37acbda2669fd6d32ff4a233279e2cd6e2a0ba62cdc47d

/data/user/0/com.yanyan.cputemp/files/__pasys_remote_banner.jar

MD5 96d208e818748da0a0510994de5be961
SHA1 8f093544c3ce04ef1dc323730d2937f889c911c6
SHA256 9fab83f42fe2573d80524e4b91caffaee37f2ca37f56f6a97a2c626fb7927215
SHA512 55a2b0c3a86ed751f31f96774aadebcf9068a4c3b828f0e1f4e30f0a5acd7a66ef14df7361ad2d9cccfe8f560db8e8cb2c67d9a459a75d24fbf762528f32bbf8

/data/user/0/com.yanyan.cputemp/files/__local_except_cache.json

MD5 2896aac8c269c9b71c457401176845f3
SHA1 953e20409c2bb295251ab03506dd47dc8dd76ea9
SHA256 842e1e8291474fc9e1401c1ef168d1badffa480501941528b420b1c2b02df9a3
SHA512 dc31b2207903992da31b2abc5bd9f43aaea4c24d19852c0f7b295759bd024758273698129d6dc8d524d8bb216bd6b64693a17be892824386043d94bcf3ba6544