Malware Analysis Report

2025-01-19 05:20

Sample ID 240824-kavw4a1erc
Target be3780d79c9774ac539fc21491cfa14e_JaffaCakes118
SHA256 e1ef06cf082a26043305c730f719ce56205ab522181398b26330d7bdff0308af
Tags
discovery evasion persistence stealth trojan collection credential_access impact
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

e1ef06cf082a26043305c730f719ce56205ab522181398b26330d7bdff0308af

Threat Level: Likely malicious

The file be3780d79c9774ac539fc21491cfa14e_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

discovery evasion persistence stealth trojan collection credential_access impact

Removes its main activity from the application launcher

Obtains sensitive information copied to the device clipboard

Queries the mobile country code (MCC)

Declares services with permission to bind to the system

Requests dangerous framework permissions

Acquires the wake lock

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks memory information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-24 08:24

Signatures

Declares services with permission to bind to the system

Description Indicator Process Target
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write and read the user's call log data. android.permission.WRITE_CALL_LOG N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to see the number being dialed during an outgoing call with the option to redirect the call to a different number or abort the call altogether. android.permission.PROCESS_OUTGOING_CALLS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-24 08:24

Reported

2024-08-24 08:27

Platform

android-x86-arm-20240624-en

Max time kernel

17s

Max time network

174s

Command Line

com.eset.ems2.gp

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.eset.ems2.gp

su

su

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 hackid.publicvm.com udp
SG 139.99.66.103:1177 hackid.publicvm.com tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.178.14:443 android.apis.google.com tcp
US 1.1.1.1:53 hackid.publicvm.com udp
SG 139.99.66.103:1177 hackid.publicvm.com tcp

Files

/data/data/com.eset.ems2.gp/files/IM.txt

MD5 de63553ba6b9d50701b9712bf4645e72
SHA1 63d79d75ad5d81603227112991c5f144ad1b8fc1
SHA256 e3ddd5cd104b923dc337b2a20a7502c9b57b8a1198f1554dde945a98704a90c7
SHA512 07c0fa5df977670b635b4787dd328e9357c17958e100c0e2bdb93700a0662d424f726a325d6d7b0a5684e67b489a78179a0db863ab44d6af6c0f3a47c0aa2baf

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-24 08:24

Reported

2024-08-24 08:27

Platform

android-x64-20240624-en

Max time kernel

18s

Max time network

148s

Command Line

com.eset.ems2.gp

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.eset.ems2.gp

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.179.232:443 ssl.google-analytics.com tcp
GB 142.250.179.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
GB 142.250.200.36:443 tcp
GB 142.250.200.36:443 tcp
GB 172.217.16.238:443 tcp
GB 216.58.204.66:443 tcp

Files

/data/data/com.eset.ems2.gp/files/IM.txt

MD5 a6a05b9c35fb42b2a2bdb4a8f037c351
SHA1 06187a5ee4a9644ec17d4e70f8ad45e154e8579c
SHA256 a5af7b5516b3b9f68986c0ef3e04e9b67d13219cda57b612842eb0a45a5b2ceb
SHA512 da823ee584eb5f423d0aadaa250840311483b45a77f03d9a2b8e74e7485d6591f50aae609f49703c2ac7d683809be42beffac35b8783130b59911d43c1392b05

Analysis: behavioral3

Detonation Overview

Submitted

2024-08-24 08:24

Reported

2024-08-24 08:27

Platform

android-x64-arm64-20240624-en

Max time kernel

112s

Max time network

133s

Command Line

com.eset.ems2.gp

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.eset.ems2.gp

Network

Country Destination Domain Proto
GB 142.250.180.14:443 tcp
GB 142.250.180.14:443 tcp
GB 142.250.180.14:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.180.14:443 android.apis.google.com tcp
GB 142.250.180.14:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.201.104:443 ssl.google-analytics.com tcp
GB 142.250.200.36:443 tcp
GB 142.250.200.36:443 tcp

Files

/data/user/0/com.eset.ems2.gp/files/IM.txt

MD5 49542f738bb949419e861f54bc6ea25c
SHA1 58f3df0f04fdfff0c86557bef615538d55264fda
SHA256 8a0663f9c1982f4ae628ba2e70edfe192be532b2c0bdcda6a3c33112db373485
SHA512 db95fdd28a4ae63892a7af8472d53f0cfadc34fb77b13ae60eb38f09d34cd88e165f1d36312dd78eb60b05f98eafdc67f05564a6c891f18fbfbd0e6fa516e045