Malware Analysis Report

2025-05-28 18:46

Sample ID 241103-d5dsqstgmj
Target 89713a6fe3106d181e44db1d8bbbb00a_JaffaCakes118
SHA256 819996f9058d19fc3942b93bdc6070c640cbfc381cb725ce6e568868d1bed8b5
Tags
banker discovery persistence collection credential_access impact
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

819996f9058d19fc3942b93bdc6070c640cbfc381cb725ce6e568868d1bed8b5

Threat Level: Shows suspicious behavior

The file 89713a6fe3106d181e44db1d8bbbb00a_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

banker discovery persistence collection credential_access impact

Obtains sensitive information copied to the device clipboard

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Queries information about active data network

Queries information about the current Wi-Fi connection

Queries the mobile country code (MCC)

Queries the unique device ID (IMEI, MEID, IMSI)

Requests dangerous framework permissions

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks CPU information

Checks memory information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-03 03:35

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-03 03:35

Reported

2024-11-03 03:37

Platform

android-x86-arm-20240624-en

Max time kernel

147s

Max time network

153s

Command Line

com.wb.hlock20130925001808

Signatures

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.wb.hlock20130925001808

Network

Country Destination Domain Proto
US 1.1.1.1:53 app.wapx.cn udp
US 1.1.1.1:53 ads.wapx.cn udp
US 1.1.1.1:53 shun.sinaapp.com udp
US 1.1.1.1:53 shun.sinaapp.com udp
US 1.1.1.1:53 shun.sinaapp.com udp
CN 220.181.168.193:80 shun.sinaapp.com tcp
GB 216.58.201.110:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.14:443 android.apis.google.com tcp
US 1.1.1.1:53 app.waps.cn udp
US 1.1.1.1:53 ads.waps.cn udp
US 1.1.1.1:53 shun.sinaapp.com udp
CN 220.181.168.193:80 shun.sinaapp.com tcp

Files

/storage/emulated/0/Android/data/cache/CacheTime.dat

MD5 a24ade0e257d4468df243caad64e7592
SHA1 667c7019f31eacb367ceefecaa4af285ab2d7942
SHA256 7c9f2b025130db7b8995946fa9355bb6159f8a530bdded70a807636ea15884c9
SHA512 79aa6b1443300da9d6940142b7159daacf6dbc9ba7aba49eb5d43ec1a624649e3f3cb27d9b924ffdc34f79c55820afbedae95147a31f27df194817f7f0ca15a3

/storage/emulated/0/Android/data/cache/AppPackage.dat

MD5 c1487ca54405173140d84381f082f07f
SHA1 bc58bbe290c7bae037e263ff498ee424c956ee11
SHA256 270ca28d06b4fc462d0afe2fb715c388ccdf972461edeae83b17e880f3ff1c71
SHA512 1b0eb5fdcafad60c46599dd7b92783593b256b7e4e294e15c65249347f42d580e2b12256b575350132f24f99b183c820d405c4f2be14cda40bd8d85213c9f53a

/storage/emulated/0/Android/data/cache/UnPackage.dat

MD5 8c84dea0903c868d3917c6bb96470636
SHA1 5b02a6a50d1f3c39197afc208793b70c56349f3e
SHA256 de75f983ae7aecf395c1ce3c0af87f799f65966db228ec3ea4816fd2c5dd4909
SHA512 db0ea986e5b0e157bd6e7b40e47c4c136b3f3089f55901e55f14c59de1a51d8a8e270adcb3749d6a2c8e8013ff7fc8084e9daca1b150c700c66a5bddb137c819

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-03 03:35

Reported

2024-11-03 03:37

Platform

android-x64-20240624-en

Max time kernel

148s

Max time network

155s

Command Line

com.wb.hlock20130925001808

Signatures

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.wb.hlock20130925001808

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 app.wapx.cn udp
US 1.1.1.1:53 ads.wapx.cn udp
US 1.1.1.1:53 shun.sinaapp.com udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.16.232:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 shun.sinaapp.com udp
CN 220.181.168.193:80 shun.sinaapp.com tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.14:443 android.apis.google.com tcp
GB 216.58.201.100:443 tcp
GB 216.58.201.100:443 tcp
US 1.1.1.1:53 app.waps.cn udp
US 1.1.1.1:53 ads.waps.cn udp
GB 172.217.16.238:443 tcp
GB 216.58.212.234:443 tcp
GB 216.58.201.98:443 tcp

Files

/storage/emulated/0/Android/data/cache/CacheTime.dat

MD5 61dfc58a7243d8ec14d37461a8a66383
SHA1 dfd4f6832e85171b5ec59fcb08e8d60379d17e2e
SHA256 db54e028fde8e5a0aae769527b449a483456f4a4017c8de34dda063f3501fc07
SHA512 2c7e0e7f001d37be4130b71f9048ca46e23def5bda9fe1ffdf62b3ae508b91ead6a9c4acc4609e82f7fffb490ec8769bc8a4e5195ba2e524e4a6104722350395

/storage/emulated/0/Android/data/cache/AppPackage.dat

MD5 c1487ca54405173140d84381f082f07f
SHA1 bc58bbe290c7bae037e263ff498ee424c956ee11
SHA256 270ca28d06b4fc462d0afe2fb715c388ccdf972461edeae83b17e880f3ff1c71
SHA512 1b0eb5fdcafad60c46599dd7b92783593b256b7e4e294e15c65249347f42d580e2b12256b575350132f24f99b183c820d405c4f2be14cda40bd8d85213c9f53a

/storage/emulated/0/Android/data/cache/UnPackage.dat

MD5 8c84dea0903c868d3917c6bb96470636
SHA1 5b02a6a50d1f3c39197afc208793b70c56349f3e
SHA256 de75f983ae7aecf395c1ce3c0af87f799f65966db228ec3ea4816fd2c5dd4909
SHA512 db0ea986e5b0e157bd6e7b40e47c4c136b3f3089f55901e55f14c59de1a51d8a8e270adcb3749d6a2c8e8013ff7fc8084e9daca1b150c700c66a5bddb137c819

Analysis: behavioral3

Detonation Overview

Submitted

2024-11-03 03:35

Reported

2024-11-03 03:38

Platform

android-x64-arm64-20240910-en

Max time kernel

149s

Max time network

153s

Command Line

com.wb.hlock20130925001808

Signatures

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.wb.hlock20130925001808

Network

Country Destination Domain Proto
GB 142.250.200.46:443 tcp
GB 142.250.200.46:443 tcp
N/A 224.0.0.251:5353 udp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 www.youtube.com udp
GB 142.250.178.14:443 www.youtube.com udp
GB 142.250.178.14:443 www.youtube.com tcp
GB 142.250.200.46:443 www.youtube.com tcp
US 216.239.32.223:443 tcp
US 1.1.1.1:53 app.wapx.cn udp
US 1.1.1.1:53 ads.wapx.cn udp
US 1.1.1.1:53 shun.sinaapp.com udp
CN 220.181.168.193:80 shun.sinaapp.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.201.104:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 app.waps.cn udp
US 1.1.1.1:53 ads.waps.cn udp
US 1.1.1.1:53 shun.sinaapp.com udp
CN 220.181.168.193:80 shun.sinaapp.com tcp
GB 142.250.187.193:443 tcp
US 216.239.32.223:443 tcp
GB 216.58.204.65:443 tcp
US 216.239.32.223:443 tcp

Files

N/A