Malware Analysis Report

2025-08-10 23:58

Sample ID 240518-hsj67sgg81
Target 537bba847c27f636fa8d4113c7dfefda_JaffaCakes118
SHA256 b484d8722a5d09cefd45f0c6fae08834029fce8920284bc9aecbd5ea2528d5ea
Tags
discovery evasion impact persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

b484d8722a5d09cefd45f0c6fae08834029fce8920284bc9aecbd5ea2528d5ea

Threat Level: Likely malicious

The file 537bba847c27f636fa8d4113c7dfefda_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

discovery evasion impact persistence

Checks if the Android device is rooted.

Queries information about the current Wi-Fi connection

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks memory information

Checks if the internet connection is available

Queries the unique device ID (IMEI, MEID, IMSI)

Requests dangerous framework permissions

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-18 07:00

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an application to request installing packages. android.permission.REQUEST_INSTALL_PACKAGES N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-18 06:59

Reported

2024-05-18 07:03

Platform

android-x86-arm-20240514-en

Max time kernel

179s

Max time network

189s

Command Line

com.mobile.sq

Signatures

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /system/app/Superuser.apk N/A N/A
N/A /sbin/su N/A N/A

Checks memory information

evasion discovery
Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.mobile.sq

/system/bin/sh -c getprop ro.board.platform

getprop ro.board.platform

/system/bin/sh -c type su

logcat -d -v threadtime

/system/bin/sh -c getprop ro.miui.ui.version.name

getprop ro.miui.ui.version.name

/system/bin/sh -c getprop ro.build.version.emui

getprop ro.build.version.emui

/system/bin/sh -c getprop ro.lenovo.series

getprop ro.lenovo.series

/system/bin/sh -c getprop ro.build.nubia.rom.name

getprop ro.build.nubia.rom.name

/system/bin/sh -c getprop ro.meizu.product.model

getprop ro.meizu.product.model

/system/bin/sh -c getprop ro.build.version.opporom

getprop ro.build.version.opporom

/system/bin/sh -c getprop ro.vivo.os.build.display.id

getprop ro.vivo.os.build.display.id

/system/bin/sh -c getprop ro.aa.romver

getprop ro.aa.romver

/system/bin/sh -c getprop ro.lewa.version

getprop ro.lewa.version

/system/bin/sh -c getprop ro.gn.gnromvernumber

getprop ro.gn.gnromvernumber

/system/bin/sh -c getprop ro.build.tyd.kbstyle_version

getprop ro.build.tyd.kbstyle_version

/system/bin/sh -c getprop ro.build.fingerprint

getprop ro.build.fingerprint

/system/bin/sh -c getprop ro.build.rom.id

getprop ro.build.rom.id

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 216.58.212.227:443 tcp
US 1.1.1.1:53 android.bugly.qq.com udp
CN 14.22.7.199:80 android.bugly.qq.com tcp
GB 142.250.180.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
CN 14.22.7.140:80 android.bugly.qq.com tcp
CN 119.147.179.152:80 android.bugly.qq.com tcp
US 1.1.1.1:53 android.bugly.qq.com udp
CN 119.147.179.152:80 android.bugly.qq.com tcp
CN 14.22.7.140:80 android.bugly.qq.com tcp
CN 14.22.7.199:80 android.bugly.qq.com tcp

Files

/data/data/com.mobile.sq/databases/bugly_db_legu-journal

MD5 22d8a44244a927ad400864d7d90c8261
SHA1 a6ee15ffac5a79398f2ff6ffe8788e68cbd32527
SHA256 c2a331f84acd091322f7a3ac874ae1acaa6652188c0fde67108329e2f8a14119
SHA512 8af97c316fda31a0aac078bee8b30a38045d91e96c8a543490f86b0017b6f7e6a0de8b717f7a638d5dfa9c0bad59b0cdcf0d8293199fe0eea2631cb8994f0ae0

/data/data/com.mobile.sq/databases/bugly_db_legu

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.mobile.sq/databases/bugly_db_legu-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.mobile.sq/databases/bugly_db_legu-wal

MD5 000dd5d0901c243e6702fb591ef808f8
SHA1 8ec363424edd3d639007ab7b7c1aea921621ab36
SHA256 96ee4a1583e2d1e68e732d565fa693dd6d7ef1177ad74427c9c7828aadbbb3f9
SHA512 5c543444ca518b8e4fca128bfc68025e941d10519b2580b0b5dc08fa38b875cf21a34c8730f385e8da85841495882b0d5e671f0603436cac3a59106f03685d5e

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-18 06:59

Reported

2024-05-18 07:03

Platform

android-x64-20240514-en

Max time kernel

179s

Max time network

183s

Command Line

com.mobile.sq

Signatures

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /system/app/Superuser.apk N/A N/A

Checks memory information

evasion discovery
Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.mobile.sq

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.187.202:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.178.8:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 android.bugly.qq.com udp
CN 119.147.179.152:80 android.bugly.qq.com tcp
CN 14.22.7.199:80 android.bugly.qq.com tcp
GB 142.250.200.36:443 tcp
GB 142.250.200.36:443 tcp
GB 172.217.16.238:443 tcp
GB 172.217.16.238:443 tcp
CN 14.22.7.140:80 android.bugly.qq.com tcp
GB 216.58.212.226:443 tcp
GB 172.217.16.238:443 tcp
US 1.1.1.1:53 android.bugly.qq.com udp
CN 119.147.179.152:80 android.bugly.qq.com tcp
CN 14.22.7.199:80 android.bugly.qq.com tcp
CN 14.22.7.140:80 android.bugly.qq.com tcp

Files

/data/data/com.mobile.sq/databases/bugly_db_legu-journal

MD5 31d5856712d5b4791a6b59f3aa265296
SHA1 f92475075ea13e8e3e99ddfb22e8d603380260a2
SHA256 f2aa545b3f243e42f8a95d56dbe0c8fce37d226db18b2f91b17e1ad7b43b3b9c
SHA512 949c3c7445aff2fca72d35719a0069f31082172e602f2af3b2413611b623cedb9d99283b20ab6d68787fce246c30adae5ef2192860a0508a5e8a47982ea10823

/data/data/com.mobile.sq/databases/bugly_db_legu

MD5 5a2f63393dcae909acdd40bf96b78912
SHA1 3b15fc955cbdfe3e60610cd7b401e40e78e82d16
SHA256 ac5d97f0dec394c6931662c059995d6d753b59dec8319918ff4348aa7f059360
SHA512 9a5a629690c3c908396103e44e11ebda624206c3e148c67a7d46bd0e7932bae24cb0b7505ec5b8ae1d85ef56c07279abcdfe60362730befc55f63c18195d8e9c

/data/data/com.mobile.sq/databases/bugly_db_legu-journal

MD5 6b411b090f3876e5b8be2f57861628d3
SHA1 64a73b3472f393f4f474f4a56f5ac7c56c16c545
SHA256 c41ef51765023e4e8a70382eff72239d9fc53ba2af9df6b11df2a3fc081f1f15
SHA512 866f6a608203599e5023575375cbbbfde29bfd34e62319daf4f3603d7099042e1787eef37eb6ac114f54385d60c76c144a1d6a6b53a9a2c184d1ca7b123709de

/data/data/com.mobile.sq/databases/bugly_db_legu-journal

MD5 0138624c325a9d34bcc1f160211e11ad
SHA1 afa63a0d213a21bcc554cb2ff83b0ef1dae417ca
SHA256 d235f320b780ab68da7b83f3f564f351a11c77679cfb0f1b9b1eef791451c067
SHA512 27f9b28edb0677ab3556725f3eec81ce3c584e9f3e7069f7148f81d262e60d447cd859b774de5056020b17d873e1baf657f1725b55baf313c58b40a59dd7a82d

/data/data/com.mobile.sq/databases/bugly_db_legu-journal

MD5 37897beb327331043a48ff616bbcf450
SHA1 ba23818b4e6b92d09e4d9ab27d76ea0e520342d0
SHA256 8f0552e5fcbf071144f636e19b317076538d26ff429f40d732c4041490ee7a66
SHA512 d967b4f509b5115e9ce8e9f8c27a4379adcde4f181ab0e61b66e7dc5d506faec03d363976f85c1414f4de13b989ac2ad967dfd4acd20f0def318ce2c91164edd

/data/data/com.mobile.sq/databases/bugly_db_legu-journal

MD5 1d9cc344cbb9889baf9409911b92d66e
SHA1 dec62730bb59d899a98517af7128864458cbcfac
SHA256 8ea52ab1a2c4756cc0ee5cb244a0bcb8208c2969fff4f9330ec3509f43f517ea
SHA512 e365a09ff80992d67dfdc1b4310e9b5e9c9cf4a6133420c3b79e98aebddb942dc00bb04cacbbe4c5e8b8cba035dc3850b89468ef04febc29d748c694942e1624

/data/data/com.mobile.sq/databases/bugly_db_legu-journal

MD5 314436aa45269027f4190ff598f86713
SHA1 24660ec9e68725afc775ad1270b98b90a48458bc
SHA256 ffdd84e86de9ca85bd0e2aebe7fc6523c1dddf808377667c530e2b8ae6dd43cb
SHA512 38f3eaf2586139b328adbd29ffa67d79d2c3f35ec2fb3cc3c317bcac2b6fb2d4095af64ccb0244ebb20ad7dd7caad854d94b19c07885d1a1e3ccbd8adb19cf2d

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-18 06:59

Reported

2024-05-18 07:00

Platform

android-x86-arm-20240514-en

Max time network

5s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-05-18 06:59

Reported

2024-05-18 07:00

Platform

android-x64-20240514-en

Max time network

6s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-05-18 06:59

Reported

2024-05-18 07:00

Platform

android-x64-arm64-20240514-en

Max time network

7s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A