Malware Analysis Report

2024-09-09 16:06

Sample ID 240728-lxheystfqe
Target 139469bc35124b11ea955c4fcd577013_JaffaCakes118
SHA256 3463f2bf09900e924cd2dc0acb1a4ca89e37c74122425c43526dce9aa7a53b6a
Tags
collection credential_access impact discovery persistence pdf link irata
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3463f2bf09900e924cd2dc0acb1a4ca89e37c74122425c43526dce9aa7a53b6a

Threat Level: Known bad

The file 139469bc35124b11ea955c4fcd577013_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

collection credential_access impact discovery persistence pdf link irata

Irata family

Irata payload

Obtains sensitive information copied to the device clipboard

Queries the mobile country code (MCC)

Requests dangerous framework permissions

HTTP links in PDF interactive object

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks CPU information

Checks memory information

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-07-28 09:54

Signatures

Irata family

irata

Irata payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A

HTTP links in PDF interactive object

pdf link
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-07-28 09:54

Reported

2024-07-28 09:57

Platform

android-x64-arm64-20240624-en

Max time kernel

23s

Max time network

138s

Command Line

com.appmaker.testpdf

Signatures

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.appmaker.testpdf

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.187.206:443 tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.179.238:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.179.232:443 ssl.google-analytics.com tcp
GB 142.250.187.228:443 tcp
GB 142.250.187.228:443 tcp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-07-28 09:54

Reported

2024-07-28 09:57

Platform

android-x64-arm64-20240624-en

Max time kernel

124s

Max time network

138s

Command Line

com.appmaker.appmaker

Signatures

N/A

Processes

com.appmaker.appmaker

Network

Country Destination Domain Proto
GB 216.58.212.238:443 tcp
GB 216.58.212.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.178.14:443 android.apis.google.com tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.180.8:443 ssl.google-analytics.com tcp
GB 142.250.187.228:443 tcp
GB 142.250.187.228:443 tcp

Files

/data/user/0/com.appmaker.appmaker/files/apps.db

MD5 c2a1f88133779c380ff4af26d8fc3487
SHA1 4473bf8ac5691a8444f6044b89e38c106262e895
SHA256 b1664dca893df407378fedd3ce41f0f72a353d0080b5b0e37c1a7b69708a5d2e
SHA512 32ed897c268115a8632ef8c8da7328b2ee0b14ab065ecfe61192dc65f5a64ce375aa8ae3eb2ea5ced07b588ffa0d505d2c6cd1c68d14306b9a826553a58cb2fd

Analysis: behavioral7

Detonation Overview

Submitted

2024-07-28 09:54

Reported

2024-07-28 09:57

Platform

android-x86-arm-20240624-en

Max time kernel

48s

Max time network

136s

Command Line

com.appmaker.testpdf

Signatures

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.appmaker.testpdf

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.204.78:443 android.apis.google.com tcp

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-07-28 09:54

Reported

2024-07-28 09:57

Platform

android-x86-arm-20240624-en

Max time kernel

31s

Max time network

136s

Command Line

com.appmaker.testappsx

Signatures

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.appmaker.testappsx

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 www.google.com udp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:443 www.google.com tcp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.169.46:443 android.apis.google.com tcp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-28 09:54

Reported

2024-07-28 09:57

Platform

android-x86-arm-20240624-en

Max time kernel

123s

Max time network

131s

Command Line

com.appmaker.appmaker

Signatures

N/A

Processes

com.appmaker.appmaker

Network

Country Destination Domain Proto
GB 216.58.201.110:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp

Files

/data/data/com.appmaker.appmaker/files/apps.db

MD5 c2a1f88133779c380ff4af26d8fc3487
SHA1 4473bf8ac5691a8444f6044b89e38c106262e895
SHA256 b1664dca893df407378fedd3ce41f0f72a353d0080b5b0e37c1a7b69708a5d2e
SHA512 32ed897c268115a8632ef8c8da7328b2ee0b14ab065ecfe61192dc65f5a64ce375aa8ae3eb2ea5ced07b588ffa0d505d2c6cd1c68d14306b9a826553a58cb2fd

/data/data/com.appmaker.appmaker/files/apps.db-journal

MD5 bf54b1af49dff36aae4ed1df70dee551
SHA1 8419dc1e02890127da192bc414e8a260b2ec9c2d
SHA256 873610fef046aca1e3d640bfd367d1c5605f15cba8fd1e4b4a3f5a2ebba38bf1
SHA512 468c424148eef8f3d5e644e401df70b1bf25a81fdc3c390c53b8efb3e08556170d53d4fc2f97bc1fb0a06fce8dfce5c58d3105a1a0624d1f6e6da067883ae089

/data/data/com.appmaker.appmaker/files/apps.db

MD5 62a4d9612947a6efb4dbc5d05a0c0feb
SHA1 67514e7ddc9b4b638c6bfb011973f96b6f3ae914
SHA256 51d4ce3345eabb9f2ae966d6e1c1ee9934e37e3840d77ff02bd724dd7a940258
SHA512 d2cf9c2339c855d4a6caf5e620d27f0cfa661a70d0f7dc2e6c4839479858da44cbd06148f0683806817d02108a968dc8433ccb471946cc5f7a740ba8008b1df3

Analysis: behavioral5

Detonation Overview

Submitted

2024-07-28 09:54

Reported

2024-07-28 09:57

Platform

android-x64-20240624-en

Max time kernel

22s

Max time network

169s

Command Line

com.myapp.exs

Signatures

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.myapp.exs

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.169.72:443 ssl.google-analytics.com tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.179.238:443 android.apis.google.com tcp
GB 142.250.180.4:443 tcp
GB 142.250.180.4:443 tcp

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-07-28 09:54

Reported

2024-07-28 09:57

Platform

android-x64-arm64-20240624-en

Max time kernel

22s

Max time network

137s

Command Line

com.myapp.exs

Signatures

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.myapp.exs

Network

Country Destination Domain Proto
GB 142.250.180.14:443 tcp
GB 142.250.180.14:443 tcp
GB 142.250.180.14:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.204.78:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.16.232:443 ssl.google-analytics.com tcp
GB 142.250.200.36:443 tcp
GB 142.250.200.36:443 tcp

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-07-28 09:54

Reported

2024-07-28 09:57

Platform

android-x64-20240624-en

Max time kernel

42s

Max time network

170s

Command Line

com.appmaker.testpdf

Signatures

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.appmaker.testpdf

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.169.72:443 ssl.google-analytics.com tcp
GB 142.250.180.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.204.78:443 android.apis.google.com tcp
GB 172.217.16.228:443 tcp
GB 172.217.16.228:443 tcp
GB 142.250.179.238:443 tcp
GB 142.250.200.34:443 tcp

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-07-28 09:54

Reported

2024-07-28 09:57

Platform

android-x64-arm64-20240624-en

Max time kernel

149s

Max time network

138s

Command Line

com.appmaker.testappsx

Signatures

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.appmaker.testappsx

Network

Country Destination Domain Proto
GB 142.250.187.238:443 tcp
GB 142.250.187.238:443 tcp
GB 142.250.187.238:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.204.72:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 www.google.com udp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:443 www.google.com tcp
GB 142.250.200.36:443 tcp
GB 142.250.200.36:443 tcp

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-07-28 09:54

Reported

2024-07-28 09:57

Platform

android-x86-arm-20240624-en

Max time kernel

21s

Max time network

140s

Command Line

com.myapp.exs

Signatures

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.myapp.exs

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-28 09:54

Reported

2024-07-28 09:57

Platform

android-x64-20240624-en

Max time kernel

124s

Max time network

166s

Command Line

com.appmaker.appmaker

Signatures

N/A

Processes

com.appmaker.appmaker

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.16.232:443 ssl.google-analytics.com tcp
GB 142.250.179.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.169.14:443 android.apis.google.com tcp
GB 142.250.180.4:443 tcp
GB 142.250.180.4:443 tcp
GB 216.58.201.98:443 tcp
GB 172.217.169.46:443 tcp

Files

/data/data/com.appmaker.appmaker/files/apps.db

MD5 c2a1f88133779c380ff4af26d8fc3487
SHA1 4473bf8ac5691a8444f6044b89e38c106262e895
SHA256 b1664dca893df407378fedd3ce41f0f72a353d0080b5b0e37c1a7b69708a5d2e
SHA512 32ed897c268115a8632ef8c8da7328b2ee0b14ab065ecfe61192dc65f5a64ce375aa8ae3eb2ea5ced07b588ffa0d505d2c6cd1c68d14306b9a826553a58cb2fd

Analysis: behavioral11

Detonation Overview

Submitted

2024-07-28 09:54

Reported

2024-07-28 09:57

Platform

android-x64-20240624-en

Max time kernel

30s

Max time network

169s

Command Line

com.appmaker.testappsx

Signatures

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.appmaker.testappsx

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.179.232:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 www.google.com udp
GB 142.250.187.228:80 www.google.com tcp
GB 142.250.187.228:443 www.google.com tcp
GB 142.250.179.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 tcp
GB 142.250.200.34:443 tcp
GB 216.58.204.78:443 tcp

Files

N/A