Malware Analysis Report

2024-09-09 16:06

Sample ID 240726-c68ttsvblc
Target 724c6e623dae2a8ca9d66bf2c8bf0533_JaffaCakes118
SHA256 62bbab5bfac8c118a6cbadde76700f1602cd674e1c17d89db7cafb6eefb82283
Tags
irata discovery evasion impact persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

62bbab5bfac8c118a6cbadde76700f1602cd674e1c17d89db7cafb6eefb82283

Threat Level: Known bad

The file 724c6e623dae2a8ca9d66bf2c8bf0533_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

irata discovery evasion impact persistence

Irata payload

Irata family

Checks if the Android device is rooted.

Checks Android system properties for emulator presence.

Loads dropped Dex/Jar

Queries information about running processes on the device

Queries the mobile country code (MCC)

Reads information about phone network operator.

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Queries information about active data network

Requests dangerous framework permissions

Acquires the wake lock

Queries information about the current Wi-Fi connection

Registers a broadcast receiver at runtime (usually for listening for system events)

Uses Crypto APIs (Might try to encrypt user data)

Checks CPU information

Checks memory information

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-07-26 02:42

Signatures

Irata family

irata

Irata payload

Description Indicator Process Target
N/A N/A N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-26 02:42

Reported

2024-07-26 02:45

Platform

android-x86-arm-20240624-en

Max time kernel

65s

Max time network

131s

Command Line

com.wikimediacom.CD.Ripper

Signatures

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /system/app/Superuser.apk N/A N/A

Checks Android system properties for emulator presence.

evasion
Description Indicator Process Target
Accessed system property key: ro.product.model N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.wikimediacom.CD.Ripper/cache/1582435991586.jar N/A N/A
N/A /data/user/0/com.wikimediacom.CD.Ripper/cache/1582435991586.jar N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Description Indicator Process Target
N/A alog.umeng.com N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.wikimediacom.CD.Ripper

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.wikimediacom.CD.Ripper/cache/1582435991586.jar --output-vdex-fd=62 --oat-fd=64 --oat-location=/data/user/0/com.wikimediacom.CD.Ripper/cache/oat/x86/1582435991586.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 googleads.g.doubleclick.net udp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.179:80 alog.umeng.com tcp
GB 216.58.212.194:443 googleads.g.doubleclick.net tcp
GB 216.58.212.194:443 googleads.g.doubleclick.net tcp
GB 216.58.212.194:443 googleads.g.doubleclick.net tcp
CN 223.109.148.176:80 alog.umeng.com tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
CN 223.109.148.177:80 alog.umeng.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
US 1.1.1.1:53 alog.umeng.co udp

Files

/data/data/com.wikimediacom.CD.Ripper/cache/1582435991586.jar

MD5 e8e0527a01aefdb89afd2c508f131da1
SHA1 f1103e6b260c657ceb3d95f1b023af3fda8b133a
SHA256 f809447486f89fcaa74f87e06d126d103d37eb2b3157e88f2c06d989b2c284ce
SHA512 fb53683a83f1068d0f94567b156e6a8910c45b1b5f33db919f7e0b9c55eab28507a235ef76d44d5b549599ea3b54dbc00496a633339d276a80f395da938d6d34

/data/user/0/com.wikimediacom.CD.Ripper/cache/1582435991586.jar

MD5 fde2ee00cbd121cfab5290b078aa3ceb
SHA1 e2b77d5320e155e413d040a8c20020962065b2f8
SHA256 2897b0812077c654a9b3fbb0b6303d5cde681eeba7ad9981de65716c7810d685
SHA512 a9326aff8e454a2b4ac09984ef2a65fddd4dc146b4c44d839035549bff8c9fdaae490326d0b018f76c1ca2e4fb25426d74f550ca0950982fba632a023af99a56

/data/user/0/com.wikimediacom.CD.Ripper/cache/1582435991586.jar

MD5 2048eb6124a452540ee51dae4145aadf
SHA1 d05005b2cd7fe4cd652b0d7fd1bdac2c19d51451
SHA256 105c54b6fe3f25350e92187467761598e4c21d62b1091b77d091f65f3bd98864
SHA512 bb6cb3853dd2a5d0701e20607d4e153ae201268dd2e5e2d06cc2df208b3b4dc50132a4ab428251b1644d2399fcc717662438d082ff14203387bab8794109d44d

/data/data/com.wikimediacom.CD.Ripper/files/umeng_it.cache

MD5 427bec5123c646b2c8f157e90d075cea
SHA1 4e12f2f468271fda95d748877f11f80c2571afe4
SHA256 cf46efbee1edacae9cade29308cb0e47f9c2870047cf5b6c3eb01076bb588fce
SHA512 afceca49e36efb302301db0c6379cfc75d4a1d968ed0217bb7f4fe10944e7a21c2ded5d39e55b88ed97ee6c59c51897f0962d9fb2881e22164daa2153a194275

/data/data/com.wikimediacom.CD.Ripper/files/.um/um_cache_1721961820909.env

MD5 535a5609e3f11b8aa32af5e51a05162c
SHA1 9d58881870c005c9d001ffcda203c55ea48127a8
SHA256 4927495b5cfed380bb0f43c578eb957781b1a35e99476e5dc8cb1b6d50907eee
SHA512 e097a16da403f418250c7210b97374efd8e8afdd39cf547df4cea8bbc86f14bc884d5a354d5ab32bb11474771a75c2ad3ae0fc52c726319ae4b34ddf7fd99abb