Malware Analysis Report

2025-06-16 00:53

Sample ID 241031-3w34pssrcv
Target 83c33fbc5d2012192d564ea625343d39_JaffaCakes118
SHA256 19748a3a997ab4fc5c73769be9570fc008db9d0f24863e7e220bab3c6839a71d
Tags
banker discovery persistence collection credential_access impact
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

19748a3a997ab4fc5c73769be9570fc008db9d0f24863e7e220bab3c6839a71d

Threat Level: Shows suspicious behavior

The file 83c33fbc5d2012192d564ea625343d39_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

banker discovery persistence collection credential_access impact

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Queries information about running processes on the device

Obtains sensitive information copied to the device clipboard

Declares services with permission to bind to the system

Requests dangerous framework permissions

Queries information about active data network

Declares broadcast receivers with permission to handle system events

Queries the mobile country code (MCC)

Reads information about phone network operator.

Queries the unique device ID (IMEI, MEID, IMSI)

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks memory information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-31 23:52

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-31 23:52

Reported

2024-10-31 23:55

Platform

android-x86-arm-20240624-en

Max time kernel

149s

Max time network

131s

Command Line

com.ezzebd.androidassistant

Signatures

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A
File opened for read /proc/meminfo N/A N/A

Processes

com.ezzebd.androidassistant

com.ezzebd.androidassistant:beyondAppMonitor

sh

toolbox ps -p -P -x -c

sh

toolbox ps -p -P -x -c

sh

toolbox ps -p -P -x -c

sh

toolbox ps -p -P -x -c

sh

toolbox ps -p -P -x -c

sh

toolbox ps -p -P -x -c

sh

toolbox ps -p -P -x -c

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 track-web.link udp
US 199.59.243.227:80 track-web.link tcp
US 199.59.243.227:80 track-web.link tcp
US 199.59.243.227:80 track-web.link tcp
US 1.1.1.1:53 api.triggerhood.com udp
DE 185.53.178.54:80 api.triggerhood.com tcp
GB 216.58.204.78:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.204.78:443 android.apis.google.com tcp

Files

/data/data/com.ezzebd.androidassistant/cache/volley/-15667203721826617373

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.ezzebd.androidassistant/databases/beyondAppSDK.db-journal

MD5 c3b40395485e6cd9c79635c2e9f3206f
SHA1 0e7102997f2d243aa66ac0d423641a188607e47c
SHA256 60e739ef5960608d63de4656fb1f7fb9ec41b88b4a034862a12379fcb8938063
SHA512 aa672348fdbe522c730b734441a43787042f297e826be6abb755f5a854ec1a6531bd4760566e2554fde7a830db7950bb3181f9d42be6a301932924a855f823e4

/data/data/com.ezzebd.androidassistant/databases/beyondAppSDK.db-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.ezzebd.androidassistant/databases/beyondAppSDK.db-wal

MD5 96af82fb3a6d8ae6dc7fb210f5acb801
SHA1 95bca3c32be2cc204b37946de8b2f000c62ccc4f
SHA256 e18fe0722a8e25d82a49fac13e9b5118d347d94c4239780fd0fbf859fbfc9241
SHA512 3d0e69b55edff40afe885fcabac280266b08134ab9944178b40542cfc2a980d1cfc87d89d3fc31ce405a4aebdc4a134d6848e68e1bd7a3b97e5cb066a9d2b016

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-31 23:52

Reported

2024-10-31 23:55

Platform

android-x64-20240624-en

Max time kernel

148s

Max time network

157s

Command Line

com.ezzebd.androidassistant

Signatures

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A
File opened for read /proc/meminfo N/A N/A

Processes

com.ezzebd.androidassistant

com.ezzebd.androidassistant:beyondAppMonitor

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 track-web.link udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.179.232:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 api.triggerhood.com udp
US 199.59.243.227:80 track-web.link tcp
US 199.59.243.227:80 track-web.link tcp
US 199.59.243.227:80 track-web.link tcp
DE 185.53.178.54:80 api.triggerhood.com tcp
GB 142.250.180.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.169.14:443 android.apis.google.com tcp
GB 172.217.16.228:443 tcp
GB 172.217.16.228:443 tcp
GB 142.250.179.238:443 tcp
GB 142.250.200.34:443 tcp

Files

/data/data/com.ezzebd.androidassistant/databases/beyondAppSDK.db-journal

MD5 0cb97b6e4645cd71b650012c3e6d27fa
SHA1 9e518af9606b808dbe3525bec182cc5a4c246509
SHA256 de72e8505f91a9d34cf8de111bd0c6a697ce654e01d7250e185e8df8a29ac078
SHA512 311b6e05c4e289a18833f20fc1d6bc6b18b3647d63c4282036b59a9106c294c7966a64d2900a05f6068b5f44ce2eab30d61f6329f8200db471c2255c58e67d44

/data/data/com.ezzebd.androidassistant/databases/beyondAppSDK.db

MD5 e964d4200f1c6c2cfb5f382804782688
SHA1 966406039a152efd608dff34edc6ba50ccd89182
SHA256 0eb7011fadf7ca0615880a5003e8540fe8d78702d632c31bf04aab9a1ec55a81
SHA512 8068b23a8924463cc4f7c24c3a32abf88989cee8541c50fd83e2b1b037ca70735afe9102b980132c5d9d803bfdb145daa0ac68011d9fd077386353d4971f6148

/data/data/com.ezzebd.androidassistant/databases/beyondAppSDK.db-journal

MD5 b1859964c7d1c43212e4983da66221af
SHA1 568b56e9f23fa71dccb969af1b2a66202052e647
SHA256 6662ed5f6973bdb3f4296d918e6ac76b26ad4f93e46cc43d26d5b44ba918f0ac
SHA512 29c772cdeb7f9a8a1ff86a272a23b1d9366de1eec6016b397ccbe8937fb4ac1eea649d6bfbc278b0c495aefb69144a0812d2655723f2dbdead53a7fc2c63f4b6

/data/data/com.ezzebd.androidassistant/databases/beyondAppSDK.db-journal

MD5 2fd25ebdae7c8128d88f6c327e7871f3
SHA1 be0addcbe4217e319ef665909b884bbcb70b3866
SHA256 8ea5006e2ee92386ed1eccb0b0debbd53bfb1e026e9c5e1197262bbfecb29575
SHA512 51bbda90bd753004952f4d25edaa2f61581091010883a4cfa0cf0e1d4e0017e105c08e2e12aa783e6685b80ade8419ad66328067be68548da64eab9f48e28fa4

Analysis: behavioral3

Detonation Overview

Submitted

2024-10-31 23:52

Reported

2024-10-31 23:55

Platform

android-x64-arm64-20240624-en

Max time kernel

149s

Max time network

134s

Command Line

com.ezzebd.androidassistant

Signatures

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Reads information about phone network operator.

discovery

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A
File opened for read /proc/meminfo N/A N/A

Processes

com.ezzebd.androidassistant

com.ezzebd.androidassistant:beyondAppMonitor

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 172.217.16.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.14:443 android.apis.google.com tcp
GB 142.250.200.46:443 android.apis.google.com tcp
US 1.1.1.1:53 track-web.link udp
US 199.59.243.227:80 track-web.link tcp
US 199.59.243.227:80 track-web.link tcp
US 199.59.243.227:80 track-web.link tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.16.232:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 api.triggerhood.com udp
DE 185.53.178.54:80 api.triggerhood.com tcp
GB 142.250.187.196:443 tcp
GB 142.250.187.196:443 tcp

Files

/data/user/0/com.ezzebd.androidassistant/databases/beyondAppSDK.db-journal

MD5 53e4ccbe113043e666c13881f6f909cd
SHA1 18541bafb636b8421d23da3f041b4ebcc7367458
SHA256 d424028e5e388e99a0025a137d2a9ceec51a96cdd1a0cedf9f107de5265eca15
SHA512 ceed3b3850c03d0c934e6ad86ccc90418118a2fbaa1788f82e194575f0d5e1b4298d37d32c000300d8a349eea65f5a478da84d35b592f6e6967adcbfc994ba66

/data/user/0/com.ezzebd.androidassistant/databases/beyondAppSDK.db

MD5 f531c165fe7320c357c7f2ee1c580526
SHA1 7166f2dc42b213df8ad63861894c845ff8ef1b8d
SHA256 229049d0f9266836f2384889c6db53d97246cf7abda75a8223effbbd171a8427
SHA512 be978df21e180595ba83511464fbbdf8e631818e53b084403261bc670741f369c60283188bf93e691d0e844782a5a1cc2624b0725a7546d252fac3e49853509d

/data/user/0/com.ezzebd.androidassistant/databases/beyondAppSDK.db-journal

MD5 bb06da5e09fbdd6f828fc6730dca0511
SHA1 1394d229962c492f5e6a3dd32b4806b2721dffa7
SHA256 8e7cfe55c798f3a9bbf9a2e2bb982108ca1f0e9f7c42e8e6b4e24fab8f9356d7
SHA512 8c320bde1c61c55905e2495bc58f92fcbed5632204b111d1a526b4eaeded733b69fa3daa8e4305086df8353135fe03253a9629616eb01ee557470ecd0d58d8cf

/data/user/0/com.ezzebd.androidassistant/databases/beyondAppSDK.db-journal

MD5 30cf1afce01e4672da297168d72bb827
SHA1 89ae2919abcd36b5804f4a292683194600c48915
SHA256 08a9a942d4fc7a4da56f31b72594bb991868287a4f2ed580c9dac6eee6c3214e
SHA512 4e57394a0efc2b45efc352e05d5eea281caede9b44765bc21f286e9ca61377737ffb606cf437b3aef27c897f0a672b9c2276946f47f960e3431370012033ba64