Malware Analysis Report

2024-10-19 11:58

Sample ID 240702-f4v2qs1hpp
Target 1e23a853a7d8694fd4d7d5b752a5f200_JaffaCakes118
SHA256 f25766c3780d9b757a02e44678eec92aaa9e19f1b49980472ad3cd2a7fda87e6
Tags
execution persistence banker collection credential_access discovery evasion impact stealth trojan
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

f25766c3780d9b757a02e44678eec92aaa9e19f1b49980472ad3cd2a7fda87e6

Threat Level: Likely malicious

The file 1e23a853a7d8694fd4d7d5b752a5f200_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

execution persistence banker collection credential_access discovery evasion impact stealth trojan

Removes its main activity from the application launcher

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Obtains sensitive information copied to the device clipboard

Queries account information for other applications stored on the device

Loads dropped Dex/Jar

Reads information about phone network operator.

Queries information about active data network

Declares services with permission to bind to the system

Requests dangerous framework permissions

Queries the mobile country code (MCC)

Queries the unique device ID (IMEI, MEID, IMSI)

Registers a broadcast receiver at runtime (usually for listening for system events)

Uses Crypto APIs (Might try to encrypt user data)

Schedules tasks to execute at a specified time

Checks memory information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-02 05:26

Signatures

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-02 05:26

Reported

2024-07-02 05:29

Platform

android-x86-arm-20240624-en

Max time kernel

167s

Max time network

131s

Command Line

com.lima.iiuvk.sprylqiq

Signatures

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Processes

com.lima.iiuvk.sprylqiq

com.lima.iiuvk.sprylqiq:RemoteProcess

com.lima.iiuvk.sprylqiq:guard

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 216.58.204.78:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp

Files

/data/data/com.lima.iiuvk.sprylqiq/app_tfile/fields.jar

MD5 07f164db880c1b6691b5c54862e9a3c4
SHA1 6dd9102eff0b0134fb9bbafd0122bfae719565fd
SHA256 2e6db810857d45da5ea6f084812401401f0f7a2bd6e7c3a7a96c7d46995551fe
SHA512 46bec2510d5ed27d54248f32556d2b7969d0e2557f17fe2f1f6f18177e2dbfc42598cfe555d44b38a2bc2480212aec036f4a4df392ca39dafe09a830b03f93f9

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-02 05:26

Reported

2024-07-02 05:29

Platform

android-x64-20240624-en

Max time kernel

179s

Max time network

156s

Command Line

com.lima.iiuvk.sprylqiq

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.lima.iiuvk.sprylqiq/app_tfile/fields.jar N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries account information for other applications stored on the device

collection
Description Indicator Process Target
Framework service call android.accounts.IAccountManager.getAccountsAsUser N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.lima.iiuvk.sprylqiq

com.lima.iiuvk.sprylqiq:RemoteProcess

com.lima.iiuvk.sprylqiq:guard

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.204.72:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 api.adsnative123.com udp
GB 142.250.180.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.212.238:443 android.apis.google.com tcp
GB 142.250.179.238:443 tcp
GB 142.250.200.34:443 tcp
GB 172.217.16.228:443 tcp
GB 172.217.16.228:443 tcp

Files

/data/data/com.lima.iiuvk.sprylqiq/app_tfile/fields.jar

MD5 07f164db880c1b6691b5c54862e9a3c4
SHA1 6dd9102eff0b0134fb9bbafd0122bfae719565fd
SHA256 2e6db810857d45da5ea6f084812401401f0f7a2bd6e7c3a7a96c7d46995551fe
SHA512 46bec2510d5ed27d54248f32556d2b7969d0e2557f17fe2f1f6f18177e2dbfc42598cfe555d44b38a2bc2480212aec036f4a4df392ca39dafe09a830b03f93f9

/data/user/0/com.lima.iiuvk.sprylqiq/app_tfile/fields.jar

MD5 35926f0158766813027fbfe1ab5b1125
SHA1 8f166af95ff940dc45b933462ee7ffdf30dd5d06
SHA256 47a1ed442aa97ce2a6c313cbd64547cd506b809593745707d3fc9585f6a6c3f4
SHA512 b0fb1d19eedb27b3efda5354ac947db9ec89901d0f5c5b9a64325f2d74f4e11f5330f984bb9a9e5ad1c2d3abcd62e1516d94e7778d273ed5df51993dc9573ba3

/data/data/com.lima.iiuvk.sprylqiq/databases/tbcom.lima.iiuvk.sprylqiq-journal

MD5 4bf7b2edb3e3fafa8f4ff2108362ae69
SHA1 f40692bf7dd0930b96769b00180a15113321c6f5
SHA256 a189aa86f76463a69b5a6fdbf79025ca9572ad6798af17288e31344ea3e81cb8
SHA512 ca8e0096fbfb8d1203e0da1200275e793cd981ff2970dfa4838d3e0d5531851418d080de891d62a264d65eba042533beec9729085a4bcf5b060591772d85f4cd

/data/data/com.lima.iiuvk.sprylqiq/databases/tbcom.lima.iiuvk.sprylqiq

MD5 ae8aa93151da27ce1348c21d6ea98a45
SHA1 d187ce29f387717ea0c7d2919a77945a6f04a954
SHA256 b5023c1c2354845e52c945166be1111d7565a000e57ea18d8ce2943c73580e81
SHA512 7bc212292c6dd5192e2d714d1e06c3109f133bf0f5bddb4dd4113a4b9ab3a8db3ba7e1cab4a7da44724361b8d7d53cdde3d50506cf7264fb00d7b4521014c85a

/data/data/com.lima.iiuvk.sprylqiq/databases/tbcom.lima.iiuvk.sprylqiq-journal

MD5 7fa8a62348bd9b599e838104f5b7cae7
SHA1 1d423a88b87d81ea25255dd2fb0ef098463af837
SHA256 c8198755f5baab87bdfdefd7ae1f5f8466059115c50d4007d1045e2826b5a35f
SHA512 f74e2e4656ef947b92d0593582a981b0659030bff5056278b8f42bab3539e38d260070ca2076d5323033b36abad857a09ae7605c96272b7f51f9356caea6d51f

/data/data/com.lima.iiuvk.sprylqiq/databases/tbcom.lima.iiuvk.sprylqiq-journal

MD5 fee08f7f408642a6e9f2920c113e78ab
SHA1 6a39d308217e6a45c4fe6685c181fcc125835b13
SHA256 0169721881bd394c6cdde64566cbd50460586935a292b5e42fb6cd1420976307
SHA512 be3688d157090f87c54e3a8b86dfb54141d1824463da4dd969a74ea9ded18bb52ee85b843970bf2f2e725e0010629aa94f13cd27b702c6ff0c95ef230b3d7823

/storage/emulated/0/Download/sdsid

MD5 b8c37e33defde51cf91e1e03e51657da
SHA1 dd01903921ea24941c26a48f2cec24e0bb0e8cc7
SHA256 fe675fe7aaee830b6fed09b64e034f84dcbdaeb429d9cccd4ebb90e15af8dd71
SHA512 e3d0e2ef3cab0dab2c12f297e3bc618f6b976aced29b3a301828c6f9f1e1aabbe6dab06e1f899c9c2ae2ca86caa330115218817f4ce36d333733cb2b4c7afde7

/data/data/com.lima.iiuvk.sprylqiq/app_tfile/oat/fields.jar.cur.prof

MD5 55a4a53784369c527cafb31ca5fa625d
SHA1 8e7dbf092ab840d6365b76faa57d04e9272174e9
SHA256 20872e83b6189b0545fb4b2a317c8adecc0a57474d04fd03e6e35eb52fc2d36f
SHA512 16cf958a4016a0e3eab6f4feb153a3517b9295f13497dc0a04a753c7af3959452197d63495d488800b5ee6afe7a85ba69cb035ae804259b665953ce872b24b48

Analysis: behavioral3

Detonation Overview

Submitted

2024-07-02 05:26

Reported

2024-07-02 05:29

Platform

android-x64-arm64-20240624-en

Max time kernel

178s

Max time network

181s

Command Line

com.lima.iiuvk.sprylqiq

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.lima.iiuvk.sprylqiq/app_tfile/fields.jar N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries account information for other applications stored on the device

collection
Description Indicator Process Target
Framework service call android.accounts.IAccountManager.getAccountsAsUser N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Reads information about phone network operator.

discovery

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.lima.iiuvk.sprylqiq

com.lima.iiuvk.sprylqiq:RemoteProcess

com.lima.iiuvk.sprylqiq:guard

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.179.238:443 tcp
GB 142.250.179.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp
GB 216.58.213.10:443 tcp
GB 216.58.213.10:443 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.204.72:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 api.adsnative123.com udp
GB 142.250.187.196:443 tcp
GB 142.250.187.196:443 tcp
GB 142.250.180.2:443 tcp
GB 142.250.179.238:443 tcp

Files

/data/user/0/com.lima.iiuvk.sprylqiq/app_tfile/fields.jar

MD5 07f164db880c1b6691b5c54862e9a3c4
SHA1 6dd9102eff0b0134fb9bbafd0122bfae719565fd
SHA256 2e6db810857d45da5ea6f084812401401f0f7a2bd6e7c3a7a96c7d46995551fe
SHA512 46bec2510d5ed27d54248f32556d2b7969d0e2557f17fe2f1f6f18177e2dbfc42598cfe555d44b38a2bc2480212aec036f4a4df392ca39dafe09a830b03f93f9

/data/user/0/com.lima.iiuvk.sprylqiq/app_tfile/fields.jar

MD5 35926f0158766813027fbfe1ab5b1125
SHA1 8f166af95ff940dc45b933462ee7ffdf30dd5d06
SHA256 47a1ed442aa97ce2a6c313cbd64547cd506b809593745707d3fc9585f6a6c3f4
SHA512 b0fb1d19eedb27b3efda5354ac947db9ec89901d0f5c5b9a64325f2d74f4e11f5330f984bb9a9e5ad1c2d3abcd62e1516d94e7778d273ed5df51993dc9573ba3

/data/user/0/com.lima.iiuvk.sprylqiq/databases/tbcom.lima.iiuvk.sprylqiq-journal

MD5 34b17dc8abfc089bf267a78df50984a2
SHA1 67e17e720a654d6c9f72515b34878e88734c092b
SHA256 04832978c1d185759226cd6c1790674dfb4f25d397f053c141ca5375c5a994d1
SHA512 b49040878179468966fa328684addd713813eaa2e24271e01eea9d2552425026b91bcf47025a9e016df1b073fcb42a79bd1b90a15534c5d9550004f46ef92cc2

/data/user/0/com.lima.iiuvk.sprylqiq/databases/tbcom.lima.iiuvk.sprylqiq

MD5 ebfd4869bb86abd638bc48b891f3e1c8
SHA1 a27f262fe7a41ec9976d457416447f8b78c80e03
SHA256 5f49bca53de766023101cc1ac8dda79a83c485fce8d9138452b39d1853d2fe0f
SHA512 062fd15e0a34619071834f2d81889e6a100c3a707e53621b16d584182a57c690f6a24a73e19fb77678d857fde477935811a963998a73d7ffe971d6ebd9cafb07

/data/user/0/com.lima.iiuvk.sprylqiq/databases/tbcom.lima.iiuvk.sprylqiq-journal

MD5 988efd1b14b3baa1ef37a26847b743a2
SHA1 05ce4abd86c90cb78ae1e3ac2024d1d1b570af96
SHA256 aaf8c577d86ebe66154c7cb263c2da6994a36ba2b524646fedbad4072d028d65
SHA512 1962a571b16ad1f4fc96c42729c6e708756a7daa6d4e0bc2049423c1f5745af95ab3441f928d90b42a4ae6f21713629bdf534758b15be49f8aa7961dd2bbb319

/data/user/0/com.lima.iiuvk.sprylqiq/databases/tbcom.lima.iiuvk.sprylqiq-journal

MD5 cdb6eafcc065b2ff6e1e1330c671ef0c
SHA1 d10def69c20a081b338f3df229e863d0fe835d29
SHA256 d7b3aa3ffb63440d0c90ec74cf154ec74a7da1f38e3016a5569fcea2de0bb6d8
SHA512 8c12788696fff4f3b2c26bc65c528f5a2582c2afe1e457bbafc670258fc04743907fd46a35cf23b7e63576714129faa1002e571a5ed3b505dc12db46c8bc3a56

/storage/emulated/0/Download/sdsid

MD5 b8c37e33defde51cf91e1e03e51657da
SHA1 dd01903921ea24941c26a48f2cec24e0bb0e8cc7
SHA256 fe675fe7aaee830b6fed09b64e034f84dcbdaeb429d9cccd4ebb90e15af8dd71
SHA512 e3d0e2ef3cab0dab2c12f297e3bc618f6b976aced29b3a301828c6f9f1e1aabbe6dab06e1f899c9c2ae2ca86caa330115218817f4ce36d333733cb2b4c7afde7