Malware Analysis Report

2025-06-15 22:32

Sample ID 241102-m965hsshmk
Target 8524b63b879cb9712a49088eed5332e2_JaffaCakes118
SHA256 2fa925b7ae8480046f481e31ce82c9e4b3463386a882be2dc189e77bbff025f8
Tags
banker discovery persistence collection credential_access impact
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

2fa925b7ae8480046f481e31ce82c9e4b3463386a882be2dc189e77bbff025f8

Threat Level: Shows suspicious behavior

The file 8524b63b879cb9712a49088eed5332e2_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

banker discovery persistence collection credential_access impact

Obtains sensitive information copied to the device clipboard

Queries information about running processes on the device

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Declares broadcast receivers with permission to handle system events

Declares services with permission to bind to the system

Requests dangerous framework permissions

Queries information about active data network

Queries the mobile country code (MCC)

Queries the unique device ID (IMEI, MEID, IMSI)

Reads information about phone network operator.

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks memory information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-02 11:10

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-02 11:10

Reported

2024-11-02 11:13

Platform

android-x86-arm-20240910-en

Max time kernel

148s

Max time network

156s

Command Line

com.ezzebd.androidassistant

Signatures

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A
File opened for read /proc/meminfo N/A N/A

Processes

com.ezzebd.androidassistant

com.ezzebd.androidassistant:beyondAppMonitor

sh

toolbox ps -p -P -x -c

sh

toolbox ps -p -P -x -c

sh

toolbox ps -p -P -x -c

sh

toolbox ps -p -P -x -c

sh

toolbox ps -p -P -x -c

sh

toolbox ps -p -P -x -c

sh

toolbox ps -p -P -x -c

Network

Country Destination Domain Proto
GB 216.58.201.110:443 tcp
GB 216.58.201.110:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp
GB 172.217.169.42:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 track-web.link udp
US 199.59.243.227:80 track-web.link tcp
US 199.59.243.227:80 track-web.link tcp
US 199.59.243.227:80 track-web.link tcp
US 1.1.1.1:53 api.triggerhood.com udp
DE 185.53.178.54:80 api.triggerhood.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp
GB 216.58.204.68:80 tcp
GB 216.58.204.68:443 tcp
GB 142.250.200.35:80 tcp
GB 216.58.201.98:443 tcp

Files

/data/data/com.ezzebd.androidassistant/cache/volley/13717149521826617373

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.ezzebd.androidassistant/databases/beyondAppSDK.db-journal

MD5 14253f9c9d36d6bfe8d0a408e5d32923
SHA1 c03a4ae07731f7219e3f57a92585e83d9347a215
SHA256 36485af445a875c8f4625ffedb47a9c6324af3a70e333e031ce37c25120ce9a1
SHA512 cb4f74b34d0c29ba40ac88fc3f8ee99a7af155af2f6e1eb97ecb941e29f0eda455e5874f1d9401bcf0ad7dadfc6696893bd5ad190385380b7dae4c9ba9dfcf99

/data/data/com.ezzebd.androidassistant/databases/beyondAppSDK.db-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.ezzebd.androidassistant/databases/beyondAppSDK.db-wal

MD5 e7a59b9bcaabd7b457cb44c3184f725a
SHA1 6a93a452fd1a0776ebab8ed391a9bd15832e6b9c
SHA256 1783c4942d98586a51174fc79157d4e98d237b7cc6ea3d7841ac27ced32104fe
SHA512 ef7eced907f3ba570a2ca7a1c591702af29fffaba5cd669463bda8a14a91b3d2a1455729f4ce081c9b43d386172f47657ae8e7e1d25dd87b2edbf6af38937654

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-02 11:10

Reported

2024-11-02 11:13

Platform

android-x64-20240910-en

Max time kernel

149s

Max time network

149s

Command Line

com.ezzebd.androidassistant

Signatures

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A
File opened for read /proc/meminfo N/A N/A

Processes

com.ezzebd.androidassistant

com.ezzebd.androidassistant:beyondAppMonitor

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 track-web.link udp
US 199.59.243.227:80 track-web.link tcp
US 199.59.243.227:80 track-web.link tcp
US 199.59.243.227:80 track-web.link tcp
US 1.1.1.1:53 api.triggerhood.com udp
DE 185.53.178.54:80 api.triggerhood.com tcp
GB 216.58.212.202:443 tcp
GB 142.250.200.14:443 tcp
GB 142.250.200.14:443 tcp
GB 142.250.200.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.204.78:443 android.apis.google.com tcp

Files

/data/data/com.ezzebd.androidassistant/cache/volley/2132231888-623260666

MD5 e9a84a9a4292c6370d5519ceb2ee6956
SHA1 802e834100dd65896cd338b8adfaf0e571a53a56
SHA256 c136974b3a4db61930470fe214125874f7edcfd15c897be3387d05de99372715
SHA512 09b2047c544415173904cd3abca829548c88f60c98561feefb523c12487ac77cb3bfee7ccbd1009fca6353cdf6cabaf6405d369ce9af89a89691c4d7027cfb41

/data/data/com.ezzebd.androidassistant/databases/beyondAppSDK.db-journal

MD5 aeb28ab23f7d95310d0e0efa24a06a35
SHA1 bba2095b7c62842cf88b33cd44d2888d7f4ee905
SHA256 def0e18252cb51d0529862603a579087583e90ad49007e7269714a2eaa237a1f
SHA512 6972523555102956dcc0740f8d6f694bee0ec57aeb507356a3cdc4ebfcf33fdf58ae85817e5abf86db80c94b1a60567bceeee74ea33e4c1f85cc286a0cefe761

/data/data/com.ezzebd.androidassistant/databases/beyondAppSDK.db-journal

MD5 44deef03833438650929622648f33d65
SHA1 111c1b0eb1c94c46a51497e6cc413fa73254cd73
SHA256 7e1574a8f617afb3c01ea98864ef1b940d259b19b60329050b9f4eb890794631
SHA512 2d6c44cb173dc9b894f8df8512587dd5941ed55212ebac42b160223b137deb9f08f9ab5d4ffcf95ecf7885c25970a681539d1812f4dc2680a6cfd570bd2ce0c7

/data/data/com.ezzebd.androidassistant/databases/beyondAppSDK.db-journal

MD5 a32743c3dd05ede744ee2af65fc42731
SHA1 945f6a22fb00f9618345f4703f016514f2da6feb
SHA256 4700415315e01879369895a0ebce3bbf3436794e758039c26e8d98cb382f2319
SHA512 f5da8c2b9b34639ebebe2d96918fdd9d61f6cf364ca85a1be92cb3fa0c6a4aa9e1976dc8297956bdd5e62d402cefb77064fa0497f30224f73af05cd719030973

Analysis: behavioral3

Detonation Overview

Submitted

2024-11-02 11:10

Reported

2024-11-02 11:13

Platform

android-x64-arm64-20240624-en

Max time kernel

149s

Max time network

133s

Command Line

com.ezzebd.androidassistant

Signatures

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Reads information about phone network operator.

discovery

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A
File opened for read /proc/meminfo N/A N/A

Processes

com.ezzebd.androidassistant

com.ezzebd.androidassistant:beyondAppMonitor

Network

Country Destination Domain Proto
GB 142.250.187.238:443 tcp
GB 142.250.187.238:443 tcp
GB 142.250.187.238:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp
US 1.1.1.1:53 track-web.link udp
US 199.59.243.227:80 track-web.link tcp
US 199.59.243.227:80 track-web.link tcp
US 199.59.243.227:80 track-web.link tcp
US 1.1.1.1:53 api.triggerhood.com udp
DE 185.53.178.54:80 api.triggerhood.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.201.104:443 ssl.google-analytics.com tcp
GB 142.250.200.36:443 tcp
GB 142.250.200.36:443 tcp

Files

/data/user/0/com.ezzebd.androidassistant/cache/volley/2132231888681133063

MD5 894e53f613d3bbf376b5e5a580dace0f
SHA1 5beb341d7501ae9151d4455f32b48b67b47a82db
SHA256 3fe1a6f6e57b864c66fc687fad13d9c8255999a13fefa2c1c7102d0d2d5c962d
SHA512 74e251a74fc8002bc4afe4319d555477d8b2e8114d097208ea1b9448568ce8060d48ea7282ed9aa21c71140ec8fe4286d97db2e488c7cc59e9671a8058b188e1

/data/user/0/com.ezzebd.androidassistant/databases/beyondAppSDK.db-journal

MD5 f8e798e00b7b61eb8e55016a5b9f448b
SHA1 cdd22f23155e60f4309167d56de9bf5f492a0f0f
SHA256 abbcb77fae4ec8fec077d5156a0093826acbd8afe9c474363c2324980e160de1
SHA512 bbccdf76e9619415e4232a7fbe28507f0c04b87bf061c779df5eea0d5b67734e51e37d70e03fd5955a5078ca76416ff82f08e7ca6976217cf59a3dec65115f39

/data/user/0/com.ezzebd.androidassistant/databases/beyondAppSDK.db-journal

MD5 00efc80023c2702a0659aba7257348fa
SHA1 0759c8bfb4efe22dbbac58309f483fa6524d5627
SHA256 ce17dbaf73b89a0abcc8c2fb68e742b4ad6e8873c27e3bb8e16e5ac9620ed01d
SHA512 89de9eb7a349efa01744b73572a75c86d7058d10ab6212fba4880a2b5f7337e28181b6e76fbd02b71703c09150acdf2f161a421e11ecb5accc126966bd16aec6

/data/user/0/com.ezzebd.androidassistant/databases/beyondAppSDK.db-journal

MD5 ad692d57a03c8d0cb1e36c26d8094f6d
SHA1 0e9d963426ecf425fdaa814848ff8b866a0cc533
SHA256 6f6970222c9b2c126f57afecef8482acf4e309e240668acd8d3e6077f769bd32
SHA512 f8c64a0c27b294a005348c08eecfe9c2e9dfdeb38fe83093339aa95c79db389f71627f40aa4250892e0ac32c35933cc0ee257a5649552960b9c6e14258ef8632