Malware Analysis Report

2025-08-10 23:54

Sample ID 240517-r5x39scf58
Target 500f1ee2af1102cba6c015ee275a6c77_JaffaCakes118
SHA256 89d2b7de9af323ad2145c375ff8a203c1bb909a5ef7c106f7addf43455d2c7a6
Tags
banker collection discovery evasion impact persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

89d2b7de9af323ad2145c375ff8a203c1bb909a5ef7c106f7addf43455d2c7a6

Threat Level: Likely malicious

The file 500f1ee2af1102cba6c015ee275a6c77_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

banker collection discovery evasion impact persistence

Requests cell location

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Queries information about the current Wi-Fi connection

Reads the content of the SMS messages.

Registers a broadcast receiver at runtime (usually for listening for system events)

Queries the phone number (MSISDN for GSM devices)

Queries the mobile country code (MCC)

Checks CPU information

Checks memory information

Loads dropped Dex/Jar

Checks if the internet connection is available

Requests dangerous framework permissions

Reads information about phone network operator.

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-17 14:47

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to monitor incoming MMS messages. android.permission.RECEIVE_MMS N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-05-17 14:47

Reported

2024-05-17 14:47

Platform

android-x86-arm-20240514-en

Max time network

5s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
GB 216.58.213.3:443 tcp
GB 142.250.200.42:443 tcp
GB 142.250.200.14:443 tcp
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-05-17 14:47

Reported

2024-05-17 14:47

Platform

android-x64-arm64-20240514-en

Max time network

6s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-05-17 14:47

Reported

2024-05-17 14:47

Platform

android-x86-arm-20240514-en

Max time network

4s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-05-17 14:47

Reported

2024-05-17 14:47

Platform

android-x64-arm64-20240514-en

Max time network

6s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-17 14:47

Reported

2024-05-17 14:50

Platform

android-x86-arm-20240514-en

Max time kernel

14s

Max time network

180s

Command Line

com.xpkvko.labakdac

Signatures

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Requests cell location

collection discovery evasion
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getCellLocation N/A N/A

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

evasion discovery
Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.xpkvko.labakdac/files/new_md.jar N/A N/A
N/A /data/user/0/com.xpkvko.labakdac/files/new_md.jar N/A N/A
N/A /data/user/0/com.xpkvko.labakdac/files/Plugin2.apk N/A N/A
N/A /data/user/0/com.xpkvko.labakdac/app_Wyzf_plg/5.0.9.jar N/A N/A
N/A /data/user/0/com.xpkvko.labakdac/app_Wyzf_plg/5.0.9.jar N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Reads the content of the SMS messages.

collection
Description Indicator Process Target
URI accessed for read content://sms/ N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Reads information about phone network operator.

discovery

Requests dangerous framework permissions

Description Indicator Process Target
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.xpkvko.labakdac

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.xpkvko.labakdac/files/new_md.jar --output-vdex-fd=121 --oat-fd=122 --oat-location=/data/user/0/com.xpkvko.labakdac/files/oat/x86/new_md.odex --compiler-filter=quicken --class-loader-context=&

service list

getprop

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.xpkvko.labakdac/app_Wyzf_plg/5.0.9.jar --output-vdex-fd=133 --oat-fd=134 --oat-location=/data/user/0/com.xpkvko.labakdac/app_Wyzf_plg/oat/x86/5.0.9.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 android.51mrp.com udp
US 1.1.1.1:53 yueyoufw.ldtang.com udp
US 1.1.1.1:53 mm.sdfsdfsdf.top udp
US 1.1.1.1:53 www.zhjnn.com udp
US 1.1.1.1:53 cserver1.rjylq.cn udp
CN 39.108.61.29:80 tcp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.177:80 alog.umeng.com tcp
US 1.1.1.1:53 m.neihanshequ.com udp
US 1.1.1.1:53 report.api.zhifabufa.net udp
US 1.1.1.1:53 sdk.api.zhifabufa.net udp
US 1.1.1.1:53 pv.sohu.com udp
US 1.1.1.1:53 sdk.qipagame.cn udp
CN 121.40.109.196:8088 tcp
GB 142.250.180.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 sdk.api.zhifabufa.net udp
US 1.1.1.1:53 pv.sohu.com udp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp
CN 139.129.132.111:8001 tcp
CN 39.108.61.29:80 tcp
GB 142.250.187.206:443 tcp
CN 39.108.217.60:80 tcp
CN 114.215.27.211:8012 tcp
CN 139.129.132.111:8001 tcp
CN 114.215.27.211:8012 tcp
CN 139.129.132.111:8001 tcp

Files

/data/data/com.xpkvko.labakdac/databases/cc/cc.db-journal

MD5 dbdd63e6bbb9812d4b4d7553cee8da4e
SHA1 643660cb1f032016b718306d5048e4cf329b5cb5
SHA256 a963e4d97a810bab0cce3e5d5d8fc61a1f84c77595374e9a2bb93c30c506cab7
SHA512 e1fec107370c428c1c3b07db6ecec0194e7d7599245b86a4b6f8273369847bd92f83822aee5c0c8744db88173e5bcb9c631c0630a49f58dfd75744eb47246806

/data/data/com.xpkvko.labakdac/databases/cc/cc.db

MD5 5d7ea1a23af19b4340cc8d90f28297d5
SHA1 4cfe95b23a9e98378d69c4290af81b51fbe76aea
SHA256 474c4a54534ed96beacad7cc9a805a3f53ec9c0522fc7bcc59771cf500a6a0da
SHA512 33071f4c92da0a3df01c4a61dd165df7c7e0f4f37753cafe02d19fc876a5e7fcbb01c069c804e140ab8bfa0644a55f50fd1373646d1c439f817baa5ffbd47f7b

/data/data/com.xpkvko.labakdac/databases/cc/cc.db-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.xpkvko.labakdac/databases/cc/cc.db-wal

MD5 88c473eb4fff3ee0988b837074e1bc77
SHA1 115e2e69383379385704df059ec8d26798bd3c54
SHA256 dc3fe6fab94c88d99b075a0caf12f104ac51e44d41ff2c1fe3c04202964f70c2
SHA512 1473d4bec1bac454d6102728bfcb6fc8f97958e6008654d3f3920318e706dfc211f5efa3f4e63425e67f359150a9d09a357025839022fdfd75b80dcb2b0f61ec

/data/data/com.xpkvko.labakdac/files/umeng_it.cache

MD5 50ad85e4e41374b5118ff1ec6e74219e
SHA1 2893ae300859f10def277d140c6b808acd7df16c
SHA256 0595b34ff6f9daf4b0f45d0b6e62416fc8a4b45bdbfcac2b7b294163b9af69db
SHA512 219d43c9f73f363887118dd8df884094b858bcaf500140fcdce2ae670bad2ccbac3906e16ad4b7b45805b8984f76c3b0dc46747e5e3572767dfeb9defd05e10c

/data/data/com.xpkvko.labakdac/files/.umeng/exchangeIdentity.json

MD5 9e31bbfedd94bddb1a155c6ec60551b3
SHA1 8e3dfd32d3857c180e04a7f89f6a1d80a66bc5f9
SHA256 0e3d8f285273821065618aa55bee0ab99542bd3238083d23d03a73f4905ae2d8
SHA512 c239476290789b38f0e67a6d97952194f9cd6d7e79c5104f42ab4d302b0fc4e93648049e24c341f9b4fae39b697d34ebfddc66d78fc383ce968fa719a3d36a2d

/data/data/com.xpkvko.labakdac/databases/cc/cc.db-wal

MD5 e30b532c92f88d426e4168b564caee09
SHA1 3e4aedc52a2ccb8a7a457b6ef2dab952fb87eada
SHA256 3ffc44b12f51624242fa24ff8ed01c3d66a6c1c2fa28b5306cabdcc4b8d77c0d
SHA512 b3482cea6033b83a1b0b5f0b0ecf3d980657a149eb0020c192d323560b3b6ee846d16ccb0544cfa6b01a44757cbcb8200e47c9cf55d208abf49193acfb7bc58b

/data/data/com.xpkvko.labakdac/databases/cc/cc.db

MD5 ce6135aa1b1fe4f2c2db2a546d2a5558
SHA1 79b59582154017aadab783dc266fcb158c252940
SHA256 7b45f576c08c7f78220168cca4a0e33198b13e9bdc8b1da406ddb6887412000c
SHA512 2839075fe374c8567c839ae35ce2d33ec72fdaebf170aa7d224b555e5b0e74d4a43f2f67d17ed806dae841da883e9620d788ea052d06152678afa927307c7ce4

/data/data/com.xpkvko.labakdac/files/new_md.jar

MD5 fc8e74605c4ce010ffe0f51c14bbb9b3
SHA1 38f82b7517fdc0d881a80c64e32244ead819b815
SHA256 001c2f29557e000d84b6f586fb54ffc2c501c7d749a89540db796891b3021279
SHA512 f508dde9bfd0d64a5cb6cbcc2fa1ae1caad447502754ad93da0ffcb7603e6b785ad6dace5c65e87ec0b84af82d9b46f93824f0f74289952e25eb412efa17f5ce

/data/user/0/com.xpkvko.labakdac/files/new_md.jar

MD5 fb585df12147c75e30fb7acc4b1a6aac
SHA1 c00854e3869901c3a93a87d86bfe2560f0c94dff
SHA256 0afa5f48b018da2ed56bbad69011cfb2187944df5489b916d298bd960f4589e3
SHA512 fa653c6a1eda7b61bc33db5fc947d8fbf1bc98697b22201f5010627af6c6b2d0d1c619bee08fbd6043ed9e6a3e64238fd177dde82cc9b753b28d3088e50e4353

/data/user/0/com.xpkvko.labakdac/files/new_md.jar

MD5 701111a083e8b31e55ec814cb9c78917
SHA1 a92514f99a3af011d770a79d3699c0e6ac915813
SHA256 04bd4f9aafc801876a326b24499c5fc332a74fe6d0247790fada3e9df815702f
SHA512 55ea76b432bf0a26bff5a3db2a629e9240a866de3a2d4d9a5afe0ca7193cc7bda3b5311cfeb2cdd6d2c62e760131611f8aad3dcbcc2e76ad97cd272fa15b667c

/data/data/com.xpkvko.labakdac/files/Plugin2.apk

MD5 2ccef24c69721e9da759c19ca79b3f48
SHA1 3d5fb18fa441e1249805b7ff103df552c5ebe4b0
SHA256 0e3bfa7756771dbfbb6cab79a7a31bc74ad788b7625498617aa431d71905e20d
SHA512 a94acfa01476898c20355c07a131e33b295ce5a9b017b0aa9c14198cc97f843f05f86c27bc8cfed47040746d4b90ab5f54add0c60fde9b2929be3f5b043b9f65

/data/user/0/com.xpkvko.labakdac/files/Plugin2.apk

MD5 138591682b15761c9646ebc8b6ebf934
SHA1 658c8174a4267d080395630ed934f6f1edae9447
SHA256 f4859252dabd80e2293e2ab74aceb946145b489a15df88e5cf79d1169c5c1724
SHA512 991b78d069c1a06a2889ddc579396b80c16fa5496735827b3d304193e023939109c4f13c6ac6a1cf501eaafe1dcaa90fb594879f45d182c82145bb27db61545c

/data/data/com.xpkvko.labakdac/app_Wyzf_plg/5.0.9.jar

MD5 420af8883b28b70fa5698fc2c9bc1ae2
SHA1 80b2d0868f0c2170f93d2f93c61c8b430936d181
SHA256 611bbbd83419cac7976482fefa632fbb138332fb1cebc494f114787b66ade248
SHA512 f72fd329d7b9ecc7d6c7c7c117ff638456201d3797821fdd9eb8b6d5f862544507fd62985a3ecffdb33349851f6e65920962fa44f24bef20b042bcf0ca9ec645

/data/user/0/com.xpkvko.labakdac/app_Wyzf_plg/5.0.9.jar

MD5 b477ed7cd5872f72f6f91bc754738f9a
SHA1 5ce083e7b964b08c39312bbc725f9fa2c279a612
SHA256 02a5ef69d0967cc0310f315c2340fc8b088ab89d0320227a30cb58229319c034
SHA512 d41e1fa806551daecaee5bf632667e6288353532dee6996631bba121e50448bacbed8df4da1c0c63012a9421744b3d2877d28fc65872ea1bf215efd21a8f7597

/data/user/0/com.xpkvko.labakdac/app_Wyzf_plg/5.0.9.jar

MD5 8565d2e2334ff507e2262115e0f26929
SHA1 b293c7e05e0300f46b52e3ca984e2606469f9c7d
SHA256 1cc01275ac67d4f0bb70cc1156d4b199e8a74805a1528fd08dd2918450988718
SHA512 46fc1400f8627adcd27cd825b7474916a20f811dc02a7d9930d6b7ec7a01cde72494130cb1d4eacf2d8e178bada93729cfc9ef96763530043a13192b9ca0770b

Analysis: behavioral6

Detonation Overview

Submitted

2024-05-17 14:47

Reported

2024-05-17 14:47

Platform

android-x64-20240514-en

Max time network

5s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-05-17 14:47

Reported

2024-05-17 14:47

Platform

android-x64-20240514-en

Max time network

5s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-17 14:47

Reported

2024-05-17 14:47

Platform

android-x86-arm-20240514-en

Max time network

4s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-17 14:47

Reported

2024-05-17 14:47

Platform

android-x64-20240514-en

Max time network

7s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-05-17 14:47

Reported

2024-05-17 14:47

Platform

android-x64-arm64-20240514-en

Max time network

5s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A