Malware Analysis Report

2024-10-19 13:10

Sample ID 240618-rmw39a1fjk
Target bc62ea4802dfd1299885d90a0ceb099d_JaffaCakes118
SHA256 1e71518c6673556ac151386636013b10ad6253f15ab94a5770f03a11d508d728
Tags
discovery impact persistence collection credential_access
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

1e71518c6673556ac151386636013b10ad6253f15ab94a5770f03a11d508d728

Threat Level: Shows suspicious behavior

The file bc62ea4802dfd1299885d90a0ceb099d_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery impact persistence collection credential_access

Obtains sensitive information copied to the device clipboard

Queries the mobile country code (MCC)

Queries the unique device ID (IMEI, MEID, IMSI)

Reads information about phone network operator.

Requests dangerous framework permissions

Queries information about active data network

Uses Crypto APIs (Might try to encrypt user data)

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks memory information

Checks CPU information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-18 14:19

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-18 14:19

Reported

2024-06-18 14:22

Platform

android-x86-arm-20240611.1-en

Max time kernel

169s

Max time network

172s

Command Line

com.superepairman.Superepairman

Signatures

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.superepairman.Superepairman

com.superepairman.Superepairman:pushservice

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 sdk.open.talk.gepush.com udp
US 1.1.1.1:53 sdk.open.talk.getui.net udp
US 1.1.1.1:53 sdk.open.talk.igexin.com udp
CN 183.134.98.112:5224 sdk.open.talk.igexin.com tcp
CN 183.134.98.76:5224 sdk.open.talk.igexin.com tcp
CN 183.134.98.76:5224 sdk.open.talk.igexin.com tcp
GB 216.58.201.110:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
CN 183.134.98.76:5224 sdk.open.talk.igexin.com tcp
CN 183.134.98.112:5224 sdk.open.talk.igexin.com tcp
CN 183.134.98.76:5224 sdk.open.talk.igexin.com tcp
CN 183.134.98.76:5224 sdk.open.talk.igexin.com tcp
CN 183.134.98.76:5224 sdk.open.talk.igexin.com tcp
CN 183.134.98.112:5224 sdk.open.talk.igexin.com tcp
CN 183.134.98.76:5224 sdk.open.talk.igexin.com tcp
CN 183.134.98.76:5224 sdk.open.talk.igexin.com tcp
CN 183.134.98.112:5224 sdk.open.talk.igexin.com tcp
CN 183.134.98.76:5224 sdk.open.talk.igexin.com tcp
CN 183.134.98.76:5224 sdk.open.talk.igexin.com tcp
CN 183.134.98.112:5224 sdk.open.talk.igexin.com tcp
CN 183.134.98.76:5224 sdk.open.talk.igexin.com tcp
CN 183.134.98.76:5224 sdk.open.talk.igexin.com tcp
CN 183.134.98.112:5224 sdk.open.talk.igexin.com tcp
CN 183.134.98.76:5224 sdk.open.talk.igexin.com tcp
CN 183.134.98.112:5224 sdk.open.talk.igexin.com tcp
CN 183.134.98.76:5224 sdk.open.talk.igexin.com tcp
CN 183.134.98.76:5224 sdk.open.talk.igexin.com tcp
CN 183.134.98.112:5224 sdk.open.talk.igexin.com tcp
CN 183.134.98.76:5224 sdk.open.talk.igexin.com tcp
CN 183.134.98.76:5224 sdk.open.talk.igexin.com tcp
CN 183.134.98.76:5224 sdk.open.talk.igexin.com tcp
US 1.1.1.1:53 sdk.open.talk.getui.net udp
CN 183.134.98.76:5224 sdk.open.talk.getui.net tcp

Files

/data/data/com.superepairman.Superepairman/files/init_c1.pid

MD5 7ba2ae9b4225e5224723e36b6e1ea986
SHA1 8e10f9a8680f42636930de6082fceba05f46bb8e
SHA256 d9d8befd1d89bb0a0bec13bd2b7793943d3222901ba9769ace875d5df9d0230d
SHA512 31ac4acfd64101180abc7cbd6bbf23e6324100f749a6bb9e30c31b0e7896fc71853cd6f6787b2c88bc0edaa0458c61d398bf1d061612a566fa1def66c2160d29

/data/data/com.superepairman.Superepairman/databases/pushsdk.db-journal

MD5 4229d3e1a3a8e700493f9646d4bd36c7
SHA1 b6b53cef5cbbe9b86a68b41356c6ced775b63509
SHA256 7a7945c95fe7ec436100e8b5bf98dd1bc69c0afdaf19c842e123c0835acdc288
SHA512 c8495eeeef5c11d71e9e971108b63ff3cf52bbc2fbeed5d0fd67896de098b4ebd8aa835c48268403e20a6dcbaa51ff21d511ac4e856a63749a24726e7b297b21

/data/data/com.superepairman.Superepairman/databases/pushsdk.db

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.superepairman.Superepairman/databases/pushsdk.db-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.superepairman.Superepairman/databases/pushsdk.db-wal

MD5 08ab3976e77158c6f3d9167a571741ba
SHA1 3b2d4a2c1f99d93eaa9f3c820ec681e491f1937b
SHA256 081ee04abd76ccb016731545a1eef54b1ec96eb7450b41e302b39152c20b6f92
SHA512 025e20415bf4b3b6d6afcafce3d487a95a3db7b43a4bc243654cbd0f02170dc6837a5e16a7227aabeeeed50ec78ec5cff5ad14a89e5a232ab49cd177ef853636

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-18 14:19

Reported

2024-06-18 14:22

Platform

android-x64-arm64-20240611.1-en

Max time kernel

171s

Max time network

186s

Command Line

com.superepairman.Superepairman

Signatures

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Reads information about phone network operator.

discovery

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.superepairman.Superepairman

com.superepairman.Superepairman:pushservice

Network

Country Destination Domain Proto
GB 142.250.187.206:443 tcp
GB 142.250.187.206:443 tcp
N/A 224.0.0.251:5353 udp
GB 172.217.16.234:443 tcp
GB 172.217.16.234:443 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.187.200:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 sdk.open.talk.igexin.com udp
US 1.1.1.1:53 sdk.open.talk.gepush.com udp
US 1.1.1.1:53 sdk.open.talk.getui.net udp
CN 183.134.98.112:5224 sdk.open.talk.getui.net tcp
CN 183.134.98.112:5224 sdk.open.talk.getui.net tcp
CN 183.134.98.76:5224 sdk.open.talk.getui.net tcp
CN 183.134.98.112:5224 sdk.open.talk.getui.net tcp
CN 183.134.98.76:5224 sdk.open.talk.getui.net tcp
CN 183.134.98.112:5224 sdk.open.talk.getui.net tcp
CN 183.134.98.112:5224 sdk.open.talk.getui.net tcp
CN 183.134.98.76:5224 sdk.open.talk.getui.net tcp
CN 183.134.98.112:5224 sdk.open.talk.getui.net tcp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 tcp
CN 183.134.98.112:5224 sdk.open.talk.getui.net tcp
CN 183.134.98.112:5224 sdk.open.talk.getui.net tcp
CN 183.134.98.76:5224 sdk.open.talk.getui.net tcp
CN 183.134.98.112:5224 sdk.open.talk.getui.net tcp
CN 183.134.98.112:5224 sdk.open.talk.getui.net tcp
CN 183.134.98.76:5224 sdk.open.talk.getui.net tcp
CN 183.134.98.112:5224 sdk.open.talk.getui.net tcp
CN 183.134.98.112:5224 sdk.open.talk.getui.net tcp
CN 183.134.98.76:5224 sdk.open.talk.getui.net tcp
CN 183.134.98.112:5224 sdk.open.talk.getui.net tcp
CN 183.134.98.76:5224 sdk.open.talk.getui.net tcp
CN 183.134.98.112:5224 sdk.open.talk.getui.net tcp
CN 183.134.98.112:5224 sdk.open.talk.getui.net tcp
CN 183.134.98.76:5224 sdk.open.talk.getui.net tcp
CN 183.134.98.112:5224 sdk.open.talk.getui.net tcp
CN 183.134.98.112:5224 sdk.open.talk.getui.net tcp
US 1.1.1.1:53 www.google.com udp
GB 142.250.200.4:443 www.google.com tcp
CN 183.134.98.76:5224 sdk.open.talk.getui.net tcp
CN 183.134.98.112:5224 sdk.open.talk.getui.net tcp
CN 183.134.98.112:5224 sdk.open.talk.getui.net tcp

Files

/data/user/0/com.superepairman.Superepairman/files/init_c1.pid

MD5 2072a26a495706b85f4748368a68af2b
SHA1 d70179c8d2e1dbfb282c4dfacb7ff4f1072739da
SHA256 ebca0f8f2078d50a0f57eafe552ebe20367ee601b7b3cdba7f2df882273da94a
SHA512 d6be967c9e04e8aedd5726aa3836df1c53bf151b9f8232910a40a090efb692de4b506119965d0eb2eee56bcf2f7d1739e069f791149fad0a2703d3b2a7f992ec

/data/user/0/com.superepairman.Superepairman/databases/pushsdk.db-journal

MD5 1f9f055ff3a61d3dd88977cf6675b16d
SHA1 79ddd10ef61d2576498696fe7889e9db1148dfa1
SHA256 80adffa42eb513b7aa94c951459d6792508b7bbf3afa7fd9168dad618e1db20b
SHA512 1e5cab5b512901ba258f7ec5049c45788c505ac24fb19f13d131a05ce362fca4a78a3188ad2a780f48ec191a10a763ebe363b4e82b13c1d24a496612f11579d8

/data/user/0/com.superepairman.Superepairman/databases/pushsdk.db

MD5 1f197c511cb101e356e982bf573eb2a4
SHA1 b235bd23766964b17c6b85fc10ca81fe465cd858
SHA256 9b52948461f223d8f35ababa7be716b28190db021478771ba0f8ec56d7abb987
SHA512 1ebc34eba8539e0731ed630ad88f8ca9feb6e6fdcd874555daaba1aadcd5ce61d5341264e01c72bf9953547e1c96ad24e67d2f2b84b6df4e37fc7c361165b909

/data/user/0/com.superepairman.Superepairman/databases/pushsdk.db-journal

MD5 58d86b9a6470896898befa445288f79f
SHA1 eaed9c3978df93c8d9fba75d38212fd319e5bc67
SHA256 4a849b54affefc70d60d644a8a2b0d186df68fc894ef8be1227a984c736ed4ba
SHA512 affe12fe493ebc9706e5b8987b1d5357ed731d48f95a2834adce8247da101312876348bfe54e8e45e4615233b2fd23f07c264b69aa52a792e38850b43be4abf1

/data/user/0/com.superepairman.Superepairman/databases/pushsdk.db-journal

MD5 a59de5a001f1842717f41a622ba25c90
SHA1 055c65977ffe277b55b3769c379bf7ea3e64fbef
SHA256 593de22d5cf27148cb379acb41d946646cbb33e25fb38d1c0bd9b69233a22603
SHA512 f4de1346b0a69440c2e7a686b07f6756597aa3eb2e6a46e7f7284abde89718c2fcebaab203e2921aa93aac4ac4f29fede9de2a785998ece1fbce87229abf5092

/data/user/0/com.superepairman.Superepairman/databases/pushsdk.db-journal

MD5 ca1f721535a4932e7248ea0f6143eebb
SHA1 760f2b3851f361a69de95261f161e1e94ba657b9
SHA256 9622b6d24c7a9e0bc0d2d026cdc74fdc7dd4481b4d30c8f4a65c54613599c7c1
SHA512 7088f6543e65b89e5eccec8ff7f02c54e6ea070b030deddfb9d4b0bf6518e4b64b56476a3b096bfc8474216a7c88c0b15276f92a39297d68557eced76f35cb28

/data/user/0/com.superepairman.Superepairman/databases/pushsdk.db-journal

MD5 1d10990761d537314057a70a168cbb86
SHA1 4e37b9b9f2557bdb9d158a8c497891167c1d0692
SHA256 484dcc788f5c3db6a8bc03a562bf731a5278ce9df7d2af05783de42a0177e013
SHA512 67e97de0cf728e34e37c256334fb6f3983d9242eb86becbfd8aa85157f94196da38f00541a3e1e7efb60fa8cefd4d910f148d845ece68e880025700cd06295a8

/data/user/0/com.superepairman.Superepairman/databases/pushsdk.db-journal

MD5 0226e9edfcdc32d3f83791d2438d4053
SHA1 8c1dd122987d29c823937f309169d970d01a90d9
SHA256 5b84e7c0ff683aef3e95a2893a108681bf37bb289401b0b710b3b9bb9dc27922
SHA512 e2705cc834d5c1191745c32c972d8a826b43c88256d1aee567bdf0de69503f23d2f4d7b11bcc5084d810c015db30f221f71f209f53126e7328a9890d852381ce