Malware Analysis Report

2025-05-06 01:31

Sample ID 241103-1n1mhawcnn
Target 8da7f7aa9f8e2ba8c4bac43f861c48ff_JaffaCakes118
SHA256 554043abb0171f46ec614fc121091033a6e428c532518cf5e9ca140af3a1fa92
Tags
banker discovery persistence collection credential_access impact
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

554043abb0171f46ec614fc121091033a6e428c532518cf5e9ca140af3a1fa92

Threat Level: Shows suspicious behavior

The file 8da7f7aa9f8e2ba8c4bac43f861c48ff_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

banker discovery persistence collection credential_access impact

Obtains sensitive information copied to the device clipboard

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Queries information about running processes on the device

Queries the mobile country code (MCC)

Queries information about active data network

Queries the unique device ID (IMEI, MEID, IMSI)

Declares broadcast receivers with permission to handle system events

Declares services with permission to bind to the system

Requests dangerous framework permissions

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks memory information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-03 21:48

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-03 21:48

Reported

2024-11-03 21:51

Platform

android-x86-arm-20240624-en

Max time kernel

149s

Max time network

132s

Command Line

com.ezzebd.androidassistant

Signatures

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A
File opened for read /proc/meminfo N/A N/A

Processes

com.ezzebd.androidassistant

com.ezzebd.androidassistant:beyondAppMonitor

sh

toolbox ps -p -P -x -c

sh

toolbox ps -p -P -x -c

sh

toolbox ps -p -P -x -c

sh

toolbox ps -p -P -x -c

sh

toolbox ps -p -P -x -c

sh

toolbox ps -p -P -x -c

sh

toolbox ps -p -P -x -c

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 track-web.link udp
US 199.59.243.227:80 track-web.link tcp
US 199.59.243.227:80 track-web.link tcp
US 199.59.243.227:80 track-web.link tcp
US 1.1.1.1:53 api.triggerhood.com udp
DE 185.53.178.54:80 api.triggerhood.com tcp
GB 216.58.204.78:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.14:443 android.apis.google.com tcp

Files

/data/data/com.ezzebd.androidassistant/cache/volley/-17596654011826617373

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.ezzebd.androidassistant/databases/beyondAppSDK.db-journal

MD5 0b960761a83d1f89430776dbcfbe9851
SHA1 bc9bb03ea1af1eb83bc03879b6d6df514c9d99ac
SHA256 d39ee67e64fc73963d654f338ffd0ccb2f528cfc00aa453f9ccd949e2e4239c1
SHA512 2a2406054f3802d8b7d85fdb2aa4ae3c39907535422b6c8edc72d0f5168870c340d65b44c440f83f7b447a658db40730fa03d1c2dfae9290a6b9e466690b7bb5

/data/data/com.ezzebd.androidassistant/databases/beyondAppSDK.db-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.ezzebd.androidassistant/databases/beyondAppSDK.db-wal

MD5 781fe1f733db35588a1528557c76b652
SHA1 5f323f6f90a32fa744cb596108cc0403b4faaeb2
SHA256 b74e48a41b963148d2784eb95eda235f806afd0b17c0edf8b7b2981b4f78014c
SHA512 76992e7669276c964cb32488ba38312bc6e8f1a1a4f238d72d2fb5218695296a61afb0483dbabcb59d401de4029f361416279cd12a966665805b317e7562c95f

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-03 21:48

Reported

2024-11-03 21:51

Platform

android-x64-20240624-en

Max time kernel

149s

Max time network

157s

Command Line

com.ezzebd.androidassistant

Signatures

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A
File opened for read /proc/meminfo N/A N/A

Processes

com.ezzebd.androidassistant

com.ezzebd.androidassistant:beyondAppMonitor

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 track-web.link udp
US 199.59.243.227:80 track-web.link tcp
US 199.59.243.227:80 track-web.link tcp
US 199.59.243.227:80 track-web.link tcp
US 1.1.1.1:53 api.triggerhood.com udp
US 1.1.1.1:53 ssl.google-analytics.com udp
DE 185.53.178.54:80 api.triggerhood.com tcp
GB 142.250.200.8:443 ssl.google-analytics.com tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.14:443 android.apis.google.com tcp
GB 142.250.180.4:443 tcp
GB 142.250.180.4:443 tcp
GB 172.217.16.238:443 tcp
GB 142.250.179.226:443 tcp

Files

/data/data/com.ezzebd.androidassistant/cache/volley/1006885135-623260666

MD5 e9a84a9a4292c6370d5519ceb2ee6956
SHA1 802e834100dd65896cd338b8adfaf0e571a53a56
SHA256 c136974b3a4db61930470fe214125874f7edcfd15c897be3387d05de99372715
SHA512 09b2047c544415173904cd3abca829548c88f60c98561feefb523c12487ac77cb3bfee7ccbd1009fca6353cdf6cabaf6405d369ce9af89a89691c4d7027cfb41

/data/data/com.ezzebd.androidassistant/databases/beyondAppSDK.db-journal

MD5 d7d4bb14bc48559a93f3ccf9ffb027bd
SHA1 aae9e9667f783f7feb6d6ac6904996ff858d3ea5
SHA256 8cde4974b19db0d8ce4e7e19223677cf3b070f2b0a8110565e9acf89c50dda82
SHA512 c67c6aedca39321f7f213c2e6205b251668022df2d2521cd36febafd6f015af7331004c2a4f4d375459cb40d3e5859b80717142f92ccf9b1867339a8bf0a44dd

/data/data/com.ezzebd.androidassistant/databases/beyondAppSDK.db-journal

MD5 1a27f10068ad27d2cfa7e085dca991f3
SHA1 d7c95bff0be475b7c88952853e01727a51499b02
SHA256 362914ddc465c61b729b5442b78672ae22b64b2ce5df33e08f16058c238e8ced
SHA512 ea838437e6216917e7b4abcf27a899c862c6dcdda5951e7b024d75ab821c5a88d14c4b2a8a29122b5b0368e234acb1b8728863e3c0a4ac67ca592aa7c951acec

/data/data/com.ezzebd.androidassistant/databases/beyondAppSDK.db-journal

MD5 971a9b7980eb0452f8e2b640e7114550
SHA1 389f31a25554afca0ccf4f7a8fe85cfecbb18fb5
SHA256 4182d542f59ae1847608b8a52ac4e6d6025ac09153da69f8f1b53a9df438f1f6
SHA512 595b5c3dcb1ac6bb5d7a82f193066d0a0fe4f1eabaf9bcb62510b979b2724af0455050e152e1b17a9354687aaf2fa4b30aadfecddd79f95a514930d7532558f3

Analysis: behavioral3

Detonation Overview

Submitted

2024-11-03 21:48

Reported

2024-11-03 21:51

Platform

android-x64-arm64-20240624-en

Max time kernel

149s

Max time network

133s

Command Line

com.ezzebd.androidassistant

Signatures

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A
File opened for read /proc/meminfo N/A N/A

Processes

com.ezzebd.androidassistant

com.ezzebd.androidassistant:beyondAppMonitor

Network

Country Destination Domain Proto
GB 216.58.212.238:443 tcp
GB 216.58.212.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.14:443 android.apis.google.com tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
US 1.1.1.1:53 track-web.link udp
US 199.59.243.227:80 track-web.link tcp
US 199.59.243.227:80 track-web.link tcp
US 199.59.243.227:80 track-web.link tcp
US 1.1.1.1:53 api.triggerhood.com udp
US 1.1.1.1:53 ssl.google-analytics.com udp
DE 185.53.178.54:80 api.triggerhood.com tcp
GB 172.217.169.8:443 ssl.google-analytics.com tcp
GB 142.250.187.228:443 tcp
GB 142.250.187.228:443 tcp

Files

/data/user/0/com.ezzebd.androidassistant/cache/volley/1006885135681133063

MD5 894e53f613d3bbf376b5e5a580dace0f
SHA1 5beb341d7501ae9151d4455f32b48b67b47a82db
SHA256 3fe1a6f6e57b864c66fc687fad13d9c8255999a13fefa2c1c7102d0d2d5c962d
SHA512 74e251a74fc8002bc4afe4319d555477d8b2e8114d097208ea1b9448568ce8060d48ea7282ed9aa21c71140ec8fe4286d97db2e488c7cc59e9671a8058b188e1

/data/user/0/com.ezzebd.androidassistant/databases/beyondAppSDK.db-journal

MD5 62f231b6b692f248c8b454e4cd5cc758
SHA1 0099ee61b0d010a2dcb00f308714aedaa63d2c9b
SHA256 23519fa42ec7b81e7b435d2103f9d76251bd3593298470e5064d97f759eb3d0c
SHA512 2796cb6ea00c5dd4beda5ab4ca6ad3ebbbdb375f3c908a5b1e1abab180ab7f5e9eefafdf446f6c705465749ec22e1d42e415c00bca87497939011062f507d5ad

/data/user/0/com.ezzebd.androidassistant/databases/beyondAppSDK.db-journal

MD5 928901a6a78a8930bf9372debebafb74
SHA1 c1b7b4c5895b6cff0ec13d618e06fc8bb2d576d1
SHA256 0ce63e9be58d3dfcb7495bc4aeac55f6b9cd112e8cfddc5a2009f06b5bb9a4d0
SHA512 19c7b68272e7e2d01835268b346ef8f537e71045cbf2ae391311fa278391125c2629db5d1fe2f8fb21f6dd751183b632e2c3d133ba834e9ae0e1085812301091

/data/user/0/com.ezzebd.androidassistant/databases/beyondAppSDK.db-journal

MD5 ba8d560b7dfa34e33ba00e6d17d7cede
SHA1 a931af9221335f5fcd7308800cabd9eb4b2d611a
SHA256 7b02d970408b343169e316d1dec01c248cb81d5f2bcfdaa955befcf319c28107
SHA512 4f723aaec2d1618df115e2da3b000a28890502dadf285b1a14b725fb073c4ba86d829c4d6a31b0a196569f4d10b5b51dc01131dc924e897752349048ea33c616