Malware Analysis Report

2025-01-19 05:19

Sample ID 240821-qy6lds1end
Target b3ae7ccaafecd53677ebb87b48713fd0_JaffaCakes118
SHA256 505b5994b4ce11b73d844709e4cca8e701597b44c944c7edd22f5587fc6c611c
Tags
discovery evasion execution persistence stealth trojan collection credential_access impact
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

505b5994b4ce11b73d844709e4cca8e701597b44c944c7edd22f5587fc6c611c

Threat Level: Likely malicious

The file b3ae7ccaafecd53677ebb87b48713fd0_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

discovery evasion execution persistence stealth trojan collection credential_access impact

Removes its main activity from the application launcher

Obtains sensitive information copied to the device clipboard

Queries the mobile country code (MCC)

Registers a broadcast receiver at runtime (usually for listening for system events)

Schedules tasks to execute at a specified time

Checks CPU information

Checks memory information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-21 13:41

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-21 13:41

Reported

2024-08-21 13:44

Platform

android-x86-arm-20240624-en

Max time kernel

23s

Max time network

131s

Command Line

com.machinezone.gow.hack

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.machinezone.gow.hack

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 freegeoip.net udp
US 3.33.130.190:443 freegeoip.net tcp
US 1.1.1.1:53 lp.androidapk.world udp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.204.78:443 android.apis.google.com tcp

Files

/data/data/com.machinezone.gow.hack/databases/evernote_jobs.db-journal

MD5 483d341164a054b877a553bf1d785f58
SHA1 d8b53a2dbbc96e231b03531fcea9c8d5c570d9e1
SHA256 7b318ad83f6630df5738d667c8bf230c73eb56402a9a47d9513f820741ef1a32
SHA512 2ff98d4b5af2edc1dd3c7979b55bab32ab964e463a377fa41e795a710d3d568dcf78aaef6f37ac69c251ce53008833226d78e0129228e74d70357a4e9a00b7c0

/data/data/com.machinezone.gow.hack/databases/evernote_jobs.db

MD5 5d85664f8e614fcaef42be2e6f649027
SHA1 09c6288922102f6114a823f4992415fd3373d61e
SHA256 55f8907e91226ef43a05583c7b4623b4e26994b62d20c8603975ccc1fa3b9409
SHA512 3d6006a3e82d00fe9bc443e940acc5df12ec84114fcbcf8fbc8099c085cb1229b21a217b7445129b50558bfef5100894686d7359eb80b7ef087b65c7be3bc6e9

/data/data/com.machinezone.gow.hack/databases/evernote_jobs.db-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.machinezone.gow.hack/databases/evernote_jobs.db-wal

MD5 8a276a1314c76d107b67c2ff8495d359
SHA1 97c908f4cab81ae9a05b9ba73c554d9e3e9bf638
SHA256 a928e36d09649924ec8f4b751693ce7f424e10c03874133b86cbdb7d2ab64a37
SHA512 1af4600d7e60f0321e3a82c8906f99e007f5b5074fa69f78ee11b5962c35374d106403e22807a2370a52c6ec94e5d5b1a07d881e6a7d03ac8ab4c312178a1a24

/data/data/com.machinezone.gow.hack/databases/evernote_jobs.db-wal

MD5 d8c5ad914f78b1643bbbaf88b0e2c84b
SHA1 b9ddf2c74be5a2268f50d51cfb65cb4d24ce7bc4
SHA256 487810add01b1f71ebde2a19dd51f46847d11d11bc095cbb26209fcda2ca34ed
SHA512 61dcc66f9a49df02d431ab7e150d23134409e54a8276f700b0bca9baf99e3f7da05f0b25bc199a4ffaaa50f4157006e38c7e5796601ac48abbc7ef66e345b402

/data/data/com.machinezone.gow.hack/databases/evernote_jobs.db

MD5 1ba79a1771025afbc06a8560503e41a2
SHA1 54f825dc68570f8b31c4ed7da80c9071811110b8
SHA256 73cf9d6f1ea5781b54366879e057fa53fcf4125134f5b08fbf44adbda19b8238
SHA512 11d640766b6821452fdf88168d93a26cbb9ac3315e74b0d094d768b54aa3725cae8c5dc030e6c8ba212d5b364888c06467838ea673cf1a905f41af04e40c3812

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-21 13:41

Reported

2024-08-21 13:44

Platform

android-x64-20240624-en

Max time kernel

23s

Max time network

157s

Command Line

com.machinezone.gow.hack

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.machinezone.gow.hack

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 freegeoip.net udp
US 3.33.130.190:443 freegeoip.net tcp
US 1.1.1.1:53 lp.androidapk.world udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.169.8:443 ssl.google-analytics.com tcp
GB 142.250.180.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
GB 172.217.16.228:443 tcp
GB 172.217.16.228:443 tcp

Files

/data/data/com.machinezone.gow.hack/databases/evernote_jobs.db-journal

MD5 fafb5cdc10e3635622520cbc39967b65
SHA1 6482d164668f1bc13ae14af1e21d67466c551a4e
SHA256 577423e00f162a3482dac9ea4c3070f8b22e9e0931e9c34dee54b005838b7c3e
SHA512 d317562d65f7a7dd445c5472c3e5c99196e1f9eea6517586382d171106100698c76416b7c02f218e78fc86f73d1b016e213717e47341739a0b2d0e722391410f

/data/data/com.machinezone.gow.hack/databases/evernote_jobs.db

MD5 12627a2ec645c4a4bc50dba5903afd59
SHA1 504005c938517e61bcf68b65a055c2faba635c2e
SHA256 f177ffae9650eb4f407c2d9a510bb5a5abe1ece2fdfe24effc62478a1bfa5903
SHA512 7ff69589296e02383a217373399e75d8a82fa17146e4273f4c0eb630f096dd9f394a3324d60858b02f7e5cf177c82c6d966f5cbedb68ae6a98df7cc851b79cfd

/data/data/com.machinezone.gow.hack/databases/evernote_jobs.db-journal

MD5 88b52534b37b2d389e645c90df64f42d
SHA1 6f7558016babe53914c0fc626db830e4a7505fd6
SHA256 65d88f780aabe5906a7742a979c12ef3efbd43c01967e48d16e30be2c06c52f7
SHA512 280053be6a309e1a079e1d257daef6021cd7f3e1cc75dfe10b1aa4b98abe47d72f1151d12d5d304c25a5d91aa7d337ac9be7216511a623efe862a581ca83beb0

/data/data/com.machinezone.gow.hack/databases/evernote_jobs.db-journal

MD5 f0d1e09ed59e9b4cc1795cf55a21ab7b
SHA1 2b6bdf7fc47f2f14258462247b31bfe203bb0f2e
SHA256 0b5244ad872a29b72cebf1bd688661e7a1ae3741d0d4d13492636d9959aa397d
SHA512 5a75462e4b2bf104bfc82c0bfebb14a505b67884f1a291dbbb356c050fee183322c9cb53b0f3e82a528f89a8a721f9d20be65b071303dfbd7cdcb71780d51724

/data/data/com.machinezone.gow.hack/databases/evernote_jobs.db-journal

MD5 0396c2f4eb04b6973b9788485d2d46f6
SHA1 cbaac21a47834936a451a954e05fc1910329c876
SHA256 3a5569de8a64bea3755521d3a90f814e0eda417bf45597ef94c858e1fabcf775
SHA512 57002d47364d829de9f4ecb838ec6051ac814b6cb781ac963308b1588fa210dbb6469d37d7160c671b079672cd57cf477eaa1e1f3af9e1bce71bb0bc404e8bac

/data/data/com.machinezone.gow.hack/databases/evernote_jobs.db

MD5 3f61d31d444e4dbde8c6b2ef1d37c860
SHA1 47672a21bd5b40bec1a5afabfea30db5a4344a6c
SHA256 d88d3479f60bdf3e72137f5dc73ea399ba17f205f3cfb199783d5d01753f7ef2
SHA512 086dfccf6df4f1cd284614d06b925e8edc7747074ef81ad615d5b4b7d4af099dec250f316fd0ece31199a89b0c6d80834263b9236ce9995831e8bbf302a8a520

Analysis: behavioral3

Detonation Overview

Submitted

2024-08-21 13:41

Reported

2024-08-21 13:44

Platform

android-x64-arm64-20240624-en

Max time kernel

24s

Max time network

132s

Command Line

com.machinezone.gow.hack

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.machinezone.gow.hack

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.179.238:443 tcp
GB 142.250.179.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.169.78:443 android.apis.google.com tcp
GB 216.58.213.10:443 tcp
GB 216.58.213.10:443 tcp
US 1.1.1.1:53 freegeoip.net udp
US 3.33.130.190:443 freegeoip.net tcp
US 1.1.1.1:53 lp.androidapk.world udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.201.104:443 ssl.google-analytics.com tcp
GB 142.250.187.196:443 tcp
GB 142.250.187.196:443 tcp

Files

/data/user/0/com.machinezone.gow.hack/databases/evernote_jobs.db-journal

MD5 9449318bb20b1d26d40b18708bffe762
SHA1 477f9013eb8e577c29f5b89ec7257bfe87711309
SHA256 a30227d089eeec2ced4c8fae708c3407bd8a1b4c030a759beac3af571cbae79b
SHA512 cc415d9bd4eaaf8cf0d7a708564e6a985ee2c6ae108c2f881672a51ada90ce374deeae7129a2575749aa0c325ea6c3aa037d82972c3eff3eb8a4072b4079d01f

/data/user/0/com.machinezone.gow.hack/databases/evernote_jobs.db

MD5 58c0b6e45328752b20ac6e719ac034f8
SHA1 372b2638afd00bbbc4034657b3df3d2e428fb367
SHA256 9d74f93afa5a179b1ba2f19f154b2880aa8b99c88209802099045a0874d2426a
SHA512 2d347d5824b9ab701e341c89e8327a95fd6bab8e92ee15ce9550da368d773e22bff304072a4854df5ab763750a7401f7aa61a49e3292d62c27fa9f20536eb3ab

/data/user/0/com.machinezone.gow.hack/databases/evernote_jobs.db-journal

MD5 f40af80d66ca1bc66274e46d51eb9674
SHA1 6ccf32a29eed63cf62fee9788a4632956eea1075
SHA256 66c3a45088c9cab6cb04779e639bb3cdb41460ae8eee51e6a9e68a28f9e94ac6
SHA512 650cc50dfe23ceca9d75cc8a3c20aa8e07f6e1d39b602fcd1060bdecd2d785847b4e4813734822ff0631dda0f87726362b3d420f1a3536df2cdfa09b8bf1ff7b

/data/user/0/com.machinezone.gow.hack/databases/evernote_jobs.db-journal

MD5 35ff1e6e817a61021bedaddf526e1f0f
SHA1 354019f340ccdec1f8823a069c4324541b515119
SHA256 c635750e56fe5434bd92028b04d9b275941fce76782eff117bc9810d8318aa45
SHA512 6f090c837083d7e10694e3a447c00bb2a150ac527a6a44f7d5e90754e2b04b4bec23f58913e9a980ff5801fee8a333918a8fae2dffbb654655daa1b3a969b42c

/data/user/0/com.machinezone.gow.hack/databases/evernote_jobs.db-journal

MD5 11e4a4ac708339b5e86e2295c5394374
SHA1 7e315ffa892e6e42646671462d295a71a0add0d8
SHA256 b05bdd01fb76b88291081439a257e7073613292090568d299122b4ea11b8ceae
SHA512 bde1fb466854ca62671048fa910820aab14512bc49ee14623dfdf41571f863368b49801e453bdaed3bb0948c9d568c7e8436c1c6fff7d7940f710c96a7d1d771

/data/user/0/com.machinezone.gow.hack/databases/evernote_jobs.db

MD5 133e26d8216a5bfd774e28c0a1df3fe8
SHA1 532e480ba6c1062d2fa483541fb2c1ed3d9a0461
SHA256 6894debbe6843885db9e7ab102f4f47ffd593e3d3ad437d937d92d40e0ea5ee8
SHA512 d35df85e66a23e9aa0c423dc40ff9b3382b47212c277fd1ec06395475da290e0eca1f2421c20c2f375e8bdac29624c1be765e49a525bd6261da7d61ea93d875c