Malware Analysis Report

2025-08-10 23:54

Sample ID 240517-vcr84ahc31
Target 507f5855e37623cd1c8a9d43e70fbd69_JaffaCakes118
SHA256 cede6df0e121f7155fd607942b731db61ea3116736bb3cfe40d63b6ac7cf011f
Tags
banker collection discovery evasion impact persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

cede6df0e121f7155fd607942b731db61ea3116736bb3cfe40d63b6ac7cf011f

Threat Level: Likely malicious

The file 507f5855e37623cd1c8a9d43e70fbd69_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

banker collection discovery evasion impact persistence

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Requests cell location

Queries information about the current Wi-Fi connection

Queries information about the current nearby Wi-Fi networks

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks if the internet connection is available

Queries the unique device ID (IMEI, MEID, IMSI)

Reads information about phone network operator.

Requests dangerous framework permissions

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-17 16:51

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-17 16:51

Reported

2024-05-17 16:54

Platform

android-x86-arm-20240514-en

Max time kernel

179s

Max time network

138s

Command Line

com.tuan800.tao800

Signatures

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Requests cell location

collection discovery evasion
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getCellLocation N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries information about the current nearby Wi-Fi networks

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getScanResults N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Reads information about phone network operator.

discovery

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.tuan800.tao800

Network

Country Destination Domain Proto
GB 142.250.187.195:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 m.api.zhe800.com udp
CN 140.143.220.127:80 m.api.zhe800.com tcp
GB 142.250.180.14:443 tcp
GB 142.250.180.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.204.78:443 android.apis.google.com tcp
CN 140.143.220.127:80 m.api.zhe800.com tcp
CN 140.143.220.127:80 m.api.zhe800.com tcp
CN 140.143.220.127:80 m.api.zhe800.com tcp
CN 140.143.220.127:80 m.api.zhe800.com tcp

Files

/data/data/com.tuan800.tao800/databases/tao800.db-journal

MD5 32a387d44831daa93317797b18c7befe
SHA1 6b0d3d8e15371309d93f7aa3abb2f789d1a87bae
SHA256 5017c06c987eae8c89d13afeb1f9d3c7aae5fab8c6e90c8599302b0811856786
SHA512 f947c73b1ed6c004b4e7810b24d56a20094e74c31438ac65c3d9f90d15102da643f141a072675aa27ed852a3ced9b64e296589347f7797a34e0b91a8fb090157

/data/data/com.tuan800.tao800/databases/tao800.db

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.tuan800.tao800/databases/tao800.db-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.tuan800.tao800/databases/tao800.db-wal

MD5 e6f890917cdd5233efb3997e4664ac21
SHA1 09fb033eaf4a34d45c7c82c042cbbaeae9ea603e
SHA256 57ab6a27999d4e3787297109a6e0b54703d9acb41700daccaedabeaa78d8e913
SHA512 3d4d3828fd43afecb3dd7af3227ec49f2631cfb569002d83ce1b720d815e2094fba3a4e340498074b836543c5328880601d658cbb281e93e5b7b8b5da42dc3a8

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-17 16:51

Reported

2024-05-17 16:54

Platform

android-x64-20240514-en

Max time kernel

179s

Max time network

150s

Command Line

com.tuan800.tao800

Signatures

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Requests cell location

collection discovery evasion
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getCellLocation N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries information about the current nearby Wi-Fi networks

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getScanResults N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Reads information about phone network operator.

discovery

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.tuan800.tao800

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.169.40:443 ssl.google-analytics.com tcp
GB 142.250.187.206:443 android.apis.google.com tcp
US 1.1.1.1:53 m.api.zhe800.com udp
CN 140.143.220.127:80 m.api.zhe800.com tcp
US 1.1.1.1:53 www.google.com udp
GB 216.58.201.100:443 www.google.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
CN 140.143.220.127:80 m.api.zhe800.com tcp
GB 142.250.178.4:443 tcp
US 1.1.1.1:53 www.google.com udp
GB 216.58.201.100:443 www.google.com tcp
CN 140.143.220.127:80 m.api.zhe800.com tcp
GB 172.217.16.238:443 tcp
GB 142.250.179.226:443 tcp
CN 140.143.220.127:80 m.api.zhe800.com tcp
CN 140.143.220.127:80 m.api.zhe800.com tcp

Files

/data/data/com.tuan800.tao800/databases/tao800.db-journal

MD5 f8e06d7e2dc8dc41e91173891646406e
SHA1 e725673178e8d2d9df3b4526550f6b9c7db5ab72
SHA256 4c2d45da83dac7dc1503d01563c8389d738c0582d0d6073c7dcc9355ac7760f6
SHA512 e7324790dbcf69efdbedb7c0f154aa1dc258acc04b3dafdc1e1f64c8bbd11c041a9f95c02da8c6cc77e4291acde6e35106d7979c8e044993d25e6443ea1489a6

/data/data/com.tuan800.tao800/databases/tao800.db

MD5 9ee915a3495d9cd728896075b684377d
SHA1 5ef9d765afddd0b7a34ff6bb2e0ef057a107f27e
SHA256 ea3bac132052d295d71cdf7f1cd132f67f206034e29cffc45d8d6950dc739275
SHA512 f7542cf4db82a7d9fb90bf4cdf7b23ea9e829d047092e0425470124f31c02d8454a9b4259e6b5744400d4d9cf7ec9bdbfb325d940ca5d6f3cbd3d539d38b9502

/data/data/com.tuan800.tao800/databases/tao800.db-journal

MD5 885426ab49e52fc3ee552a30c24abd4e
SHA1 a6454d692381f778061877ee1dd82345e66db031
SHA256 38b28a93007b244543f37a7498ff55306b5917d9580b64c308cd5ee376a078a0
SHA512 1fce8c2f42c8589ffd0b7e58348d206308e6f65f1e473c76d3465bc1dd75fe81abd76dbebffc06acb06fd652c7f001ee686758425cf74526e2acd96e292ad6c3

/data/data/com.tuan800.tao800/databases/tao800.db-journal

MD5 a23456966385c61173356003ea0415dc
SHA1 0c482fb5bc423098f0353a34f55c9c1aef77adae
SHA256 049126692a132ccd0c7527aa818fbea28441d5cecf54fc24a58d4ca408d9b56e
SHA512 d1357b992319076f58774c8fded07fa30b234ff1aa4550ff849886ad12e36f3f8bf3d023770b1818e075e2377320efeef3c82ccdd353e9c9945c42330ca369a4

/data/data/com.tuan800.tao800/databases/tao800.db-journal

MD5 d879948b72376d1ca3cbe01dc772e988
SHA1 fce0afd1bafeb57c8ffc514acbe2a29d735ffeaa
SHA256 d51515abc3843fced55e4d4742f080ed62914fb2828400de63b58d2a55114343
SHA512 b65c33d2091bec711dc657cb8b1572c8d0732f47c0fddb7c06b2cd1cbd41717ebf3991afe322ed370eaa9a6c517669649cf1c314ed54f5ffa4a9ec87bdea5172

/data/data/com.tuan800.tao800/databases/tao800.db-journal

MD5 43fb3cc980060e183e54bf19f9ef150b
SHA1 51d0069f8aa4531d791fce5e7f9c13239b739016
SHA256 681247f480533d8580f421188afde132470427e983d060d57dbacc4fb38e1d82
SHA512 6d4026a3a5ce97d7a78e4261d2e715a30e194e3710183940fcdde00374b794d93b519e7ff98190858a01d807b4498f59fdc895e10ae5764a4993e08ca03db000

/data/data/com.tuan800.tao800/databases/tao800.db-journal

MD5 9958c27f9ff1e43fe04886e34074ef08
SHA1 0dfd671886127d37e157d6757082297d1d09e09d
SHA256 44e9b1b0d6da73b7f339c8a581dcfa3a3a9b781d8b91b91056b2e0f99bfa1979
SHA512 0daeaf8a62f5f99bc9d0217c97b797ea27e9cc6a3f30903a9982d20dc02d9b8edac6b4a93061a8bb82a321e94a61c275f924877eacd0affd9cce1e7a3f192c5a