Malware Analysis Report

2025-05-06 01:32

Sample ID 241104-a43hxs1qfr
Target 8e5237a5fb68f92e9b6e0d37c172e4e2_JaffaCakes118
SHA256 59abde0b18235002444e4cfddbabcc2fb948f9a2618edec896f8de4f58647cde
Tags
banker discovery persistence collection credential_access impact
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

59abde0b18235002444e4cfddbabcc2fb948f9a2618edec896f8de4f58647cde

Threat Level: Shows suspicious behavior

The file 8e5237a5fb68f92e9b6e0d37c172e4e2_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

banker discovery persistence collection credential_access impact

Obtains sensitive information copied to the device clipboard

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Queries information about running processes on the device

Queries the unique device ID (IMEI, MEID, IMSI)

Requests dangerous framework permissions

Queries information about active data network

Declares broadcast receivers with permission to handle system events

Declares services with permission to bind to the system

Queries the mobile country code (MCC)

Reads information about phone network operator.

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks memory information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-04 00:46

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-04 00:46

Reported

2024-11-04 00:49

Platform

android-x86-arm-20240624-en

Max time kernel

149s

Max time network

137s

Command Line

com.ezzebd.androidassistant

Signatures

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A
File opened for read /proc/meminfo N/A N/A

Processes

com.ezzebd.androidassistant

com.ezzebd.androidassistant:beyondAppMonitor

sh

toolbox ps -p -P -x -c

sh

toolbox ps -p -P -x -c

sh

toolbox ps -p -P -x -c

sh

toolbox ps -p -P -x -c

sh

toolbox ps -p -P -x -c

sh

toolbox ps -p -P -x -c

sh

toolbox ps -p -P -x -c

sh

toolbox ps -p -P -x -c

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 track-web.link udp
US 199.59.243.227:80 track-web.link tcp
US 199.59.243.227:80 track-web.link tcp
US 199.59.243.227:80 track-web.link tcp
US 1.1.1.1:53 api.triggerhood.com udp
DE 185.53.178.54:80 api.triggerhood.com tcp
GB 216.58.204.78:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp

Files

/data/data/com.ezzebd.androidassistant/databases/beyondAppSDK.db-journal

MD5 74811982de9fdffde45b219b4e5c3528
SHA1 a240bd6e3b36788e8631add89495e14cf3f10020
SHA256 144e8b4f4e62f34fbddc2931d11e571580eb9ffda0711242f0555fb6bff17fcc
SHA512 de14af62bc02862561022776f711e30dfa16264a868fc2d8a28e6ee33b93ccd503a55c95d664867a97a10b7c10639628e86d598e7b58cd73ac4af27f8adaf457

/data/data/com.ezzebd.androidassistant/databases/beyondAppSDK.db

MD5 bf40ccfabca55d527d016a46c8673293
SHA1 0fad4060076bf1eb7681648cba11b20db43eda07
SHA256 d9970819ec5368729df3f57956f52f18ecb1f9605792db2e27059b7605c631b9
SHA512 4b4ee6bd2eefd4ee4402f9e1041bf42c4faba211bd05d00f893c242749ff76e4d49bdf4ed0955c1072a15d8e083c469108f6b39d3c04ca2e6d95b4a8eb2b2ff1

/data/data/com.ezzebd.androidassistant/databases/beyondAppSDK.db-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.ezzebd.androidassistant/databases/beyondAppSDK.db-wal

MD5 faacaf6c6af3d7e5be082ab19d10fede
SHA1 60c38d41522c20a75ddf2ade8e88714905d0fb10
SHA256 b0d04e448bed1902cdd143bfcdd0614a96382e469b2b102a2c3a7b023a19a5e6
SHA512 6a843f17a08afab4fba69222eeb7855ad0d4d30946bf4b109b67f4e4a3db34236dda864f5439b91c0153612fc25ef3718c29f200cfd78e028bc7761f96925186

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-04 00:46

Reported

2024-11-04 00:49

Platform

android-x64-20240624-en

Max time kernel

149s

Max time network

157s

Command Line

com.ezzebd.androidassistant

Signatures

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A
File opened for read /proc/meminfo N/A N/A

Processes

com.ezzebd.androidassistant

com.ezzebd.androidassistant:beyondAppMonitor

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 track-web.link udp
US 199.59.243.227:80 track-web.link tcp
US 199.59.243.227:80 track-web.link tcp
US 199.59.243.227:80 track-web.link tcp
US 1.1.1.1:53 api.triggerhood.com udp
DE 185.53.178.54:80 api.triggerhood.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.187.200:443 ssl.google-analytics.com tcp
GB 142.250.179.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
GB 142.250.200.36:443 tcp
GB 142.250.200.36:443 tcp
GB 172.217.16.238:443 tcp
GB 216.58.204.66:443 tcp

Files

/data/data/com.ezzebd.androidassistant/cache/volley/-839601416-623260666

MD5 e9a84a9a4292c6370d5519ceb2ee6956
SHA1 802e834100dd65896cd338b8adfaf0e571a53a56
SHA256 c136974b3a4db61930470fe214125874f7edcfd15c897be3387d05de99372715
SHA512 09b2047c544415173904cd3abca829548c88f60c98561feefb523c12487ac77cb3bfee7ccbd1009fca6353cdf6cabaf6405d369ce9af89a89691c4d7027cfb41

/data/data/com.ezzebd.androidassistant/databases/beyondAppSDK.db-journal

MD5 ac135f5abf6a9d0d4ebfeabf7f4239b6
SHA1 5c5fd112a72366e621bed468f66db75644786755
SHA256 6157e7419ffeedc299d642e91b243b6d4fb18a1a6db7b71545bbf55f94238519
SHA512 2d71674f08015c7f630347c19a6984e473534301a9b99bfcc67b7b444120aec8e780952af861dc4d834b6ad218088c9ff80afcb91aa38e0448b68ca81e470726

/data/data/com.ezzebd.androidassistant/databases/beyondAppSDK.db-journal

MD5 236a581fdfb540bd8f08919f1de896b1
SHA1 6f8123f3129771f3ea13a979c182609a6e2986e4
SHA256 7678cea5cfedac0030d1646f9f3bae8bca6b4253c92303bd847982a9b50a16e9
SHA512 d5c31230b0463b0b438c70000c823d392ad51180a49dcc09a56e08ee8b43a997b41c855f58f74a809b1515732709f234e143228777474efa31cb650d2e1453a3

/data/data/com.ezzebd.androidassistant/databases/beyondAppSDK.db-journal

MD5 3617bf0843a5ed1918d55a7133d04350
SHA1 f8fa56dd693dd1c6e2e03016d79c321dfde9e753
SHA256 b8903988d1e72289e4ef8463e823e9ff636cb16da93eb691c31c83174e626c54
SHA512 31fccfd0c3d3495a9de46b0c296095e18213f181bdd5f85d5d31da8e5d92cad606c4fdc4a559e0a1acf075b8ab61033712af5bede2fb049177d702862c29a8e2

Analysis: behavioral3

Detonation Overview

Submitted

2024-11-04 00:46

Reported

2024-11-04 00:49

Platform

android-x64-arm64-20240624-en

Max time kernel

149s

Max time network

132s

Command Line

com.ezzebd.androidassistant

Signatures

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Reads information about phone network operator.

discovery

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A
File opened for read /proc/meminfo N/A N/A

Processes

com.ezzebd.androidassistant

com.ezzebd.androidassistant:beyondAppMonitor

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 172.217.16.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.14:443 android.apis.google.com tcp
GB 142.250.200.14:443 android.apis.google.com tcp
US 1.1.1.1:53 track-web.link udp
US 199.59.243.227:80 track-web.link tcp
US 199.59.243.227:80 track-web.link tcp
US 199.59.243.227:80 track-web.link tcp
US 1.1.1.1:53 api.triggerhood.com udp
DE 185.53.178.54:80 api.triggerhood.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.212.232:443 ssl.google-analytics.com tcp
GB 142.250.187.196:443 tcp
GB 142.250.187.196:443 tcp

Files

/data/user/0/com.ezzebd.androidassistant/cache/volley/-839601416681133063

MD5 894e53f613d3bbf376b5e5a580dace0f
SHA1 5beb341d7501ae9151d4455f32b48b67b47a82db
SHA256 3fe1a6f6e57b864c66fc687fad13d9c8255999a13fefa2c1c7102d0d2d5c962d
SHA512 74e251a74fc8002bc4afe4319d555477d8b2e8114d097208ea1b9448568ce8060d48ea7282ed9aa21c71140ec8fe4286d97db2e488c7cc59e9671a8058b188e1

/data/user/0/com.ezzebd.androidassistant/databases/beyondAppSDK.db-journal

MD5 e4539bb5af3725eec79d7635ee670723
SHA1 8e6ef994ef9f5dd7b1a036560b4d4061e772bb7a
SHA256 0ada25a78015b89b078ec5747e6bc7a167f4fa65de4d29f09a0a53a46040a0dc
SHA512 45324eb5bb087d6c95dd0bc75a159cc2d6e9f444d03527fc34222b92ff2ef481195fde7abd8c3e83d2edfa55b27be1bcbf9ba4a32936b223fa1b0f4c418d7984

/data/user/0/com.ezzebd.androidassistant/databases/beyondAppSDK.db-journal

MD5 20a3e82fe4e9614c032ee158c85e2a96
SHA1 61a034d191ff858067940321e879b7e8c2519525
SHA256 d0f5a3281f9933f6fd6da24320a0054d4ea2977fe82e3d97f818cfd2dec6fa02
SHA512 7d031e5726cb1770c3a7f78f2c2bd180bb2c15d8317f5d190218ff7e4b6d7db22b3aa3eb17bf0ccb1e76ac2898939f57afe74db376a26183a095c086a1ebdf49

/data/user/0/com.ezzebd.androidassistant/databases/beyondAppSDK.db-journal

MD5 3edcd8b04bdafab95dceb0d4007d064d
SHA1 c112c4ba19c56f6056cb8cf5be399102854bea87
SHA256 16316bdd2a0cd31cdcc0642551f07eff098607b682dedd959942778e24ae8564
SHA512 2d8bcbf037b02fe91bbfa8c317dccd8f31b00aab97a3141e8c42ed2e92389ede26631f16ffe31f694ca153d4414fbf0ef92c6ffcaf34c50639c4ff43839e3549