Malware Analysis Report

2025-08-10 23:54

Sample ID 240517-s57s5sef31
Target 503cebbbec920e1e7c2b6b9629963fe8_JaffaCakes118
SHA256 52f42759b12eadd13a2c13e3b3746a1faed3c8a5eb1cd5079e3bc4fc37dfd7e4
Tags
collection discovery evasion impact persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

52f42759b12eadd13a2c13e3b3746a1faed3c8a5eb1cd5079e3bc4fc37dfd7e4

Threat Level: Likely malicious

The file 503cebbbec920e1e7c2b6b9629963fe8_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

collection discovery evasion impact persistence

Requests cell location

Checks if the Android device is rooted.

Queries information about the current nearby Wi-Fi networks

Checks CPU information

Checks memory information

Queries information about the current Wi-Fi connection

Loads dropped Dex/Jar

Queries information about running processes on the device

Queries the phone number (MSISDN for GSM devices)

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks if the internet connection is available

Reads information about phone network operator.

Requests dangerous framework permissions

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-17 15:43

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-17 15:43

Reported

2024-05-17 15:46

Platform

android-x86-arm-20240514-en

Max time kernel

167s

Max time network

182s

Command Line

com.jingdong.pdj:guard

Signatures

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /system/app/Superuser.apk N/A N/A
N/A /sbin/su N/A N/A
N/A /system/bin/su N/A N/A
N/A /system/xbin/su N/A N/A

Requests cell location

collection discovery evasion
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getCellLocation N/A N/A
Framework service call com.android.internal.telephony.ITelephony.getCellLocation N/A N/A

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

evasion discovery
Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.jingdong.pdj/files/hotfix/rocoo_0.dex N/A N/A
N/A /data/user/0/com.jingdong.pdj/files/hotfix/rocoo_0.dex N/A N/A
N/A /data/user/0/com.jingdong.pdj/files/hotfix/rocoo_0.dex N/A N/A
N/A /data/user/0/com.jingdong.pdj/files/hotfix/rocoo_0.dex N/A N/A
N/A /data/user/0/com.jingdong.pdj/files/hotfix/rocoo_0.dex N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries information about the current nearby Wi-Fi networks

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getScanResults N/A N/A
Framework service call android.net.wifi.IWifiManager.getScanResults N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Reads information about phone network operator.

discovery

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.jingdong.pdj:guard

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.jingdong.pdj/files/hotfix/rocoo_0.dex --output-vdex-fd=44 --oat-fd=45 --oat-location=/data/user/0/com.jingdong.pdj/files/hotfix/oat/x86/rocoo_0.odex --compiler-filter=quicken --class-loader-context=&

com.jingdong.pdj

/system/bin/sh -c getprop ro.board.platform

getprop ro.board.platform

rm -rf /storage/emulated/0/log/

/system/bin/sh -c type su

/system/bin/sh -c getprop ro.miui.ui.version.name

getprop ro.miui.ui.version.name

/system/bin/cat /sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_max_freq

/system/bin/cat /sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_min_freq

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 216.58.212.227:443 tcp
US 1.1.1.1:53 storage.jd.com udp
US 1.1.1.1:53 gw-o2o.jd.com udp
CN 120.52.30.36:443 gw-o2o.jd.com tcp
GB 163.171.144.40:80 storage.jd.com tcp
GB 163.171.144.40:80 storage.jd.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 lbs.map.qq.com udp
CN 119.147.190.111:80 lbs.map.qq.com tcp
US 1.1.1.1:53 dispatcher.3g.qq.com udp
CN 183.61.38.168:14000 tcp
CN 112.90.140.213:14000 tcp
CN 180.163.210.30:80 dispatcher.3g.qq.com tcp
CN 180.163.210.30:8080 dispatcher.3g.qq.com tcp
US 1.1.1.1:53 hxqd.openspeech.cn udp
CN 114.118.64.119:80 hxqd.openspeech.cn tcp
CN 120.52.30.36:443 gw-o2o.jd.com tcp
US 1.1.1.1:53 pingma.qq.com udp
CN 119.45.78.184:80 pingma.qq.com tcp
CN 120.52.30.36:443 gw-o2o.jd.com tcp
GB 142.250.180.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.179.238:443 android.apis.google.com tcp
CN 120.52.30.36:443 gw-o2o.jd.com tcp
CN 117.135.171.182:14000 tcp
CN 180.163.210.30:14000 dispatcher.3g.qq.com tcp
CN 112.90.140.216:14000 tcp
CN 183.47.104.112:80 lbs.map.qq.com tcp
CN 120.52.30.36:443 gw-o2o.jd.com tcp
CN 112.90.140.213:80 tcp
CN 183.61.38.168:80 tcp
CN 120.52.30.36:443 gw-o2o.jd.com tcp
US 1.1.1.1:53 lbs.map.qq.com udp
CN 119.147.190.111:80 lbs.map.qq.com tcp
CN 117.135.171.182:80 tcp
CN 112.90.140.216:80 tcp
CN 183.47.104.112:80 lbs.map.qq.com tcp
US 1.1.1.1:53 zxcv.3g.qq.com udp
CN 119.147.190.111:80 lbs.map.qq.com tcp
CN 183.47.104.112:80 lbs.map.qq.com tcp
CN 119.147.190.111:80 lbs.map.qq.com tcp
US 1.1.1.1:53 zxcv.3g.qq.com udp
CN 183.47.104.112:80 lbs.map.qq.com tcp
US 1.1.1.1:53 lbs.map.qq.com udp
CN 119.147.190.111:80 lbs.map.qq.com tcp

Files

/data/data/com.jingdong.pdj/files/hotfix/rocoo_0.dex

MD5 46744a1aca14068de6e9b1e472d2c05a
SHA1 d874561ebfe19828cf1b46d52fc350cefd0e6f4e
SHA256 ddef743e2ccf1f205ae953e1899b2587f2676e8ddbe18d10064b91bbc9d46e3e
SHA512 59c7e824f117745ec1a51981532bcc92a439dba52cd786ffeba65bdb7682c46bc688282d2219c968f28d9949eb8c0de47fcbe4843ca2ab062ba6954b21c4d9ac

/data/user/0/com.jingdong.pdj/files/hotfix/rocoo_0.dex

MD5 8ae8a68f62b0a97af7a3ebceb544091c
SHA1 98fa1f16b1ceb1764c284f5c36c5216360c17691
SHA256 3452be53d4ab744d9134a75942a29e09b3001fbbb9d19bf027563823a14593cb
SHA512 0090f6be8dd347ad3f8f5ddaa963b2d49f5f60685a485fab0d4dfe87c4b8793a73b2c1b91f903b95571e604f3231b7023c99fb868c3a7a1656ceb910f596e5a9

/data/data/com.jingdong.pdj/files:channelId_2_1

MD5 b6d6e45731e85d04945994d952e0ab18
SHA1 46055a17ce2e302a3330a2412730ac00e50069b5
SHA256 9425f5ec8c3f41caea0a46c9eb9b568ace5f707b6b0539b725ed87fd7576240a
SHA512 bed70a68c8d6d001dac2d325ec6dd1703fa5a8bc9dedb058f928aefea0c46df2c64083baafb935a4ea63596c830b767f4a6bd2a07d683b0b4f3de04d51d948c8

/data/data/com.jingdong.pdj/databases/bugly_db_-journal

MD5 c8a2b36335e25a88a066b86f84529c07
SHA1 7cff924c4f92f7d4c908bf94ad312f0161a5d300
SHA256 8f215d93d96cdec8dd4a9fdda0a55a2ceed64e4b4906c2c43dd0d1e9eb57ed55
SHA512 bf5fcc919997f82c00b1c81b6fcb66f9ec00d0faee3ec55ac94e23028d1170f5786e772e56f36c077989cf7e592dbbc6b42508c5fcf3f27970de1b20b2297963

/data/data/com.jingdong.pdj/databases/bugly_db_

MD5 aa99281ce0cd69a9302f8b64b918ad75
SHA1 ccafc0e5fb16198e466b209a888301f4100fafe8
SHA256 a3cde8388c50e78c7b3c8dab1d0c46c64c375248031adbb6a5802e3da65bb431
SHA512 a8b80f09a555652d3e4b9775b6aa58341dad7fb120509e128df417533ba361353b19530306e8691f1ce5fc0c69f1a89d29bd2eb176291a5e85b945d14c9eb085

/data/data/com.jingdong.pdj/databases/bugly_db_-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.jingdong.pdj/databases/bugly_db_-wal

MD5 bdbc265c689eb95c51ca0b48ed9d2ae2
SHA1 2bad6f2769413bc0d718025b7d964e4bfcba1acd
SHA256 06407a9fea14a8aecfcc0cd6c645da7f5015300da271698c7f3a8669c35475a2
SHA512 365950a28b43ab8d5dc29dfbfc0fded500bc0cb3d04735be4527e5e206a53b0179e39d591e8e432de8501ea09b1807ec24ec6df7d2a0aaa37a3d7fdfe20bf768

/data/data/com.jingdong.pdj/app_crashrecord/1004

MD5 d2dbef03d0e9a5a327fadc520ba9ce97
SHA1 dc63c610d544e769f074e0d5f3920c938763f712
SHA256 512777f2df858c4a56ca9b888e6741b46b0e11ef5c529686c3339f6dabf4c627
SHA512 dca52dc718126315d96b01db7e4bc7a42b0a18a39916f47d4513fc039127ed0d9aa4e582d3f8f766849880c82d11b0c94a10dc95a8189e9bb47722e6381a6c9c

/data/data/com.jingdong.pdj/app_crashrecord/1004

MD5 bf6144889bdb44c97395633a85f7c008
SHA1 0d697d00feac57d4721c3dc8d6661f108e1698c0
SHA256 676737178fd6ffb3c956a3611283a074920382f927706bb86bc0ef3bf4f162c3
SHA512 cf8abf87401b580bdd8ad9710ed0f738ccfc90d19aacef1b3ea16a69278a1a628d0c1b3e5d6d46ee4e8d77f00d329bace71597d5d19c0bc3b11e958e80afb68d

/data/data/com.jingdong.pdj/files/versionName.txt

MD5 5cd7df6f0da1041317520d2a213f2425
SHA1 c616adc821d873c7967afa9792b4710ae258dd39
SHA256 4477667df23eb82d488f2fe19a6be089539ba770eba91cdadd7f497de5093c60
SHA512 89c9f1c419875b08f496372b11e73d6d5ca61d81f6b1d2585f9ab2ea579385d0b07535f05948b25b57ae98fb28625afe1dcf923557664363a2d53b739cd0049e

/data/data/com.jingdong.pdj/databases/access.db-journal

MD5 2c412bab344ef622116c2742c6a61ee2
SHA1 03d0d0684ee1f8b43f1dc65e4e4cdd5f27c15ebe
SHA256 e0131e3b536e044cd4f2fea92b2f09a6f6abe4170cdbb42fda4e66546d3a8112
SHA512 7fac2d7f9efb471f562a28837f7b345027fba240992b64ec6a1ec5f5c4baf099af70ea65afaedab5fb8d266791909031e091c9b4a2ee9d7c29532af21423ab1b

/data/data/com.jingdong.pdj/databases/access.db

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.jingdong.pdj/databases/access.db-wal

MD5 83e3e0e0c83eb88c571eee3606248e7c
SHA1 7911eb54608d786cfe8e16da17631d0fac5f84bf
SHA256 8517b5841d259cf599a0b5804e69be4930687f870d024f5f45edc9f74d28a221
SHA512 b1d7c1006d920bcacffcb8f334748c6349e75f76d0c40cd58d46cc4cf145c0668c6e11b289d28a6b990591c94bd07bd2c4fb4a4cfb34482e0fc1677745ed3036

/data/data/com.jingdong.pdj/files:PatchVersionCodes

MD5 d86352ca9ec4e4199aeeb584f96de13c
SHA1 d6f9d1c2112729dacd06898b5d372c5ee6491530
SHA256 ee4706172c9bfd2e5cab7ad96af4e270a07346a6c6db6bbc3b0d3b2b1e525271
SHA512 38c4c969e12f738be5d8d9e0edf88a135ed382a5f54490a55a895e141925e102f4ccb417efd21e8b7646d89ee53d49f23dc0e4cf4325ab878cba762dd805682e

/data/data/com.jingdong.pdj/databases/bugly_db_-wal

MD5 3a80469fce1ed46531e697f1f12dcb99
SHA1 939f17b5ac15c223d775423f85d47ee560491430
SHA256 534a270f860702e0d6c4f4e4e4e391e1c3904ff6ecd84c4bc98bea652e305cc0
SHA512 7df7fe889f5921dfea27f5614a4f4dadf1ee608bafe52ab1b4b8844771443d73a8c707a7e46a04c4eb31dc6c286ae2cd15d66339fc58f46ba251f93b18ccfb09

/data/data/com.jingdong.pdj/databases/pri_tencent_analysis.db_com.jingdong.pdj-wal

MD5 7f444ec25764c1dd552906beb7ba94c0
SHA1 04e9343165f267de58e355b4394e602f197ba4bd
SHA256 7ecaf449ea28a20ed8770e4c660afccf04e792628cea6d7079bdbf36df04a9f4
SHA512 d9a4e6c37ec956595be832e9b59a2a255bc0fc0ec517b75519533938564db2179107b4b3ed03f4cd1dc4b85509574590ef8d268a574d565f0dd5ec63c567aa0c