Malware Analysis Report

2024-10-19 13:10

Sample ID 240618-tgye8svclr
Target bccb647da9a26caa5333317a445ca15c_JaffaCakes118
SHA256 51231955a19a1fc3b7ba77c8bcb7ca456f66cdba32696b3c1b98fe7144e56d99
Tags
discovery impact persistence collection credential_access
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

51231955a19a1fc3b7ba77c8bcb7ca456f66cdba32696b3c1b98fe7144e56d99

Threat Level: Shows suspicious behavior

The file bccb647da9a26caa5333317a445ca15c_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery impact persistence collection credential_access

Obtains sensitive information copied to the device clipboard

Queries the mobile country code (MCC)

Requests dangerous framework permissions

Registers a broadcast receiver at runtime (usually for listening for system events)

Uses Crypto APIs (Might try to encrypt user data)

Checks CPU information

Checks memory information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-18 16:02

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to request installing packages. android.permission.REQUEST_INSTALL_PACKAGES N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to request installing packages. android.permission.REQUEST_INSTALL_PACKAGES N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-18 16:02

Reported

2024-06-18 16:05

Platform

android-x86-arm-20240611.1-en

Max time kernel

105s

Max time network

186s

Command Line

com.wzrjcsdrz

Signatures

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.wzrjcsdrz

Network

Country Destination Domain Proto
GB 142.250.180.14:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 360stat.org udp
US 1.1.1.1:53 checksum.cc udp
US 1.1.1.1:53 qq.com udp
HK 203.205.254.157:80 qq.com tcp
HK 203.205.254.157:80 qq.com tcp
US 1.1.1.1:53 xgbox.25lm.cn udp
US 1.1.1.1:53 www.qq.com udp
US 1.1.1.1:53 www.vizy8.cn udp
US 1.1.1.1:53 safebrowsing.googleapis.com udp
HK 107.148.12.130:80 checksum.cc tcp
HK 107.148.12.130:80 checksum.cc tcp
US 1.1.1.1:53 log-report.com udp
US 104.21.75.58:80 log-report.com tcp
HK 107.148.12.130:80 checksum.cc tcp
DE 43.175.60.134:443 www.qq.com tcp
DE 43.175.60.134:443 www.qq.com tcp
US 1.1.1.1:53 mat1.gtimg.com udp
US 1.1.1.1:53 inews.gtimg.com udp
US 1.1.1.1:53 xw.qq.com udp
GB 23.215.228.198:443 inews.gtimg.com tcp
GB 23.215.228.198:443 inews.gtimg.com tcp
NL 43.152.43.24:443 mat1.gtimg.com tcp
NL 43.152.43.24:443 mat1.gtimg.com tcp
NL 43.152.43.24:443 mat1.gtimg.com tcp
NL 43.152.43.24:443 mat1.gtimg.com tcp
GB 23.215.228.198:443 inews.gtimg.com tcp
US 172.67.214.214:80 log-report.com tcp
US 172.67.214.214:80 log-report.com tcp
US 1.1.1.1:53 staticfile.qq.com udp
HK 107.148.12.130:80 checksum.cc tcp
SE 43.152.140.54:443 staticfile.qq.com tcp
SE 43.152.140.54:443 staticfile.qq.com tcp
SE 43.152.140.54:443 staticfile.qq.com tcp
US 1.1.1.1:53 xgbox.25lm.cn udp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 static.tinyadx.com udp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 safebrowsing.googleapis.com udp
US 172.67.214.214:80 log-report.com tcp
GB 142.250.187.206:443 android.apis.google.com tcp
GB 142.250.187.202:443 safebrowsing.googleapis.com tcp
US 1.1.1.1:53 xw.qq.com udp
US 1.1.1.1:53 xw.qq.com udp
DE 43.175.60.134:443 xw.qq.com tcp
DE 43.175.60.134:443 xw.qq.com tcp
US 1.1.1.1:53 i.news.qq.com udp
DE 43.175.60.134:443 i.news.qq.com tcp
DE 43.175.60.134:443 i.news.qq.com tcp
US 1.1.1.1:53 tun-cos-1258344701.file.myqcloud.com udp
US 1.1.1.1:53 vfiles.gtimg.cn udp
CN 112.84.131.219:443 tun-cos-1258344701.file.myqcloud.com tcp
CN 112.84.131.219:443 tun-cos-1258344701.file.myqcloud.com tcp
NL 43.152.43.24:443 vfiles.gtimg.cn tcp
NL 43.152.43.24:443 vfiles.gtimg.cn tcp
US 1.1.1.1:53 h.trace.qq.com udp
HK 129.226.106.225:443 h.trace.qq.com tcp
HK 129.226.106.225:443 h.trace.qq.com tcp
HK 129.226.106.225:443 h.trace.qq.com tcp
CN 112.84.131.219:443 tun-cos-1258344701.file.myqcloud.com tcp
CN 42.177.83.115:443 tun-cos-1258344701.file.myqcloud.com tcp
CN 42.177.83.115:443 tun-cos-1258344701.file.myqcloud.com tcp
CN 42.177.83.115:443 tun-cos-1258344701.file.myqcloud.com tcp

Files

/storage/emulated/0/Android/data/com.wzrjcsdrz/cache/crash.txt

MD5 d8c3cf1f7289b3418d471b1fd04cc7c8
SHA1 2f5d5cd2979eb701e9d08f20e4f2eb51fee6c79b
SHA256 c69f56288539e7dea4acacd899642a6cbf9e410c1c3ee3b31d2d0e1ad16faaf9
SHA512 e7e842661c5c2a490b41782e652dc27dc070506d58535bccd5ba74102caddef359e39ce7c3347cf717527174fd78b1971e1da1ac77668c69190fa676ba88b8ab

/storage/emulated/0/Android/data/com.wzrjcsdrz/cache/crash.txt

MD5 e4f22496c7876af4630bf325a9ad642f
SHA1 a64c33431a60ab546b71211374feb1864e36f447
SHA256 3d5ebd95b6256956cb14ec8a51bf0557b60ba464cf79eb4ce9596eaa20d42c7c
SHA512 1834a551a275735193bb8b2149fc4b90a33e4123e7ceb6e9dd7e88ce28a08fdd61d8bcab4e2037eb160e3fbd9d00f5815cfd38a782e0210bcbaff35e05aa5fe7

/storage/emulated/0/Android/data/com.wzrjcsdrz/cache/crash.txt

MD5 e350865c16447f0e677edfbfc2cca6f5
SHA1 aa0874bc1792bbd32ecaefa8659bff1b9cab2d24
SHA256 8653979cea9633440c61e4ef98cbd3f6d65e29b6b27b786ed167831f235d83fc
SHA512 1ec804caebb2808106b2319cd17020f54a3f02f9b0d458d6e8fc673a0393d246816fdc6e9d41325f045e3d89d2dc6dcdbc2ddd5887e2ba3c3f1507d2ccc01ba3

/storage/emulated/0/Android/data/com.wzrjcsdrz/cache/crash.txt

MD5 43d2ee2984cea326b24fb99f835a683a
SHA1 2d9fcc209ee901ff830a2a565a9d5f3640e00dbf
SHA256 45a1f492218154aeb4af6063575845c2ed37717260f8f641269afe56254fcef4
SHA512 e5fbd11755a2376df015f1211ee27bde0f49d133b0ef0e006b89f4c1f3773bd7227097c8b19bd573ad47523c96b55fe54a4ca0c8674a97b7f2721eea643792e9

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-18 16:02

Reported

2024-06-18 16:05

Platform

android-x64-arm64-20240611.1-en

Max time kernel

123s

Max time network

178s

Command Line

com.wzrjcsdrz

Signatures

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.wzrjcsdrz

Network

Country Destination Domain Proto
GB 142.250.187.206:443 tcp
GB 142.250.187.206:443 tcp
N/A 224.0.0.251:5353 udp
GB 216.58.212.234:443 tcp
GB 216.58.212.234:443 tcp
US 1.1.1.1:53 360stat.org udp
US 1.1.1.1:53 checksum.cc udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.187.200:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 xgbox.25lm.cn udp
US 1.1.1.1:53 qq.com udp
CN 123.150.76.218:80 qq.com tcp
CN 123.150.76.218:80 qq.com tcp
US 1.1.1.1:53 www.vizy8.cn udp
HK 107.148.12.130:80 checksum.cc tcp
HK 107.148.12.130:80 checksum.cc tcp
US 1.1.1.1:53 static.tinyadx.com udp
US 1.1.1.1:53 log-report.com udp
US 1.1.1.1:53 log-report.com udp
US 1.1.1.1:53 log-report.com udp
US 1.1.1.1:53 log-report.com udp
US 172.67.214.214:80 log-report.com tcp
US 172.67.214.214:80 log-report.com tcp
CN 123.150.76.218:80 qq.com tcp
GB 216.58.212.196:443 tcp
GB 216.58.212.196:443 tcp
CN 113.108.81.189:80 qq.com tcp
CN 113.108.81.189:80 qq.com tcp
CN 113.108.81.189:80 qq.com tcp

Files

/storage/emulated/0/Android/data/com.wzrjcsdrz/cache/crash.txt (deleted)

MD5 b3ce0b79b46a29ef575a12d74e172902
SHA1 fbd04ccbdce1bf7dd8a957c7cf967206057b6b9b
SHA256 eeb3b3811602ca37f16f35d868ae9365b0f47f6a5652129ade5f46f73a6af618
SHA512 ee3744848c7bb6438369e076cebe872c705ec53bfe85f6e20d0654f8fa74f36e27b833363c560cf5b3e9217d82d2f012a6ccf30a8897b2c480104c06b6d89964

/storage/emulated/0/Android/data/com.wzrjcsdrz/cache/crash.txt

MD5 a7b036474694e3198ecf7d818564284a
SHA1 846a492566b99164019c48bfdaf4716f07a05690
SHA256 a71e44bc1a7a0fa42238382ac701b7ee491a7d84cadcddad4e8809e8f581d6d6
SHA512 69048db99eb646e06b4d18abcce5ac8e21295c70cff2294bdef192ba585f83b4b4114f22bd75cb0da02f32cfd148321e6bb86092199be369e27a5f6b7ea52f25