Malware Analysis Report

2025-08-10 23:58

Sample ID 240518-jh64naab2w
Target 53a516db611a3d600f12155b01e1ff74_JaffaCakes118
SHA256 b9e7fb383c21308a930c82e206497390824d40ffc63b5f705889212f26a7a359
Tags
discovery impact
score
6/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
6/10

SHA256

b9e7fb383c21308a930c82e206497390824d40ffc63b5f705889212f26a7a359

Threat Level: Shows suspicious behavior

The file 53a516db611a3d600f12155b01e1ff74_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery impact

Requests dangerous framework permissions

Checks if the internet connection is available

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-18 07:41

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-18 07:41

Reported

2024-05-18 07:44

Platform

android-x86-arm-20240514-en

Max time kernel

34s

Max time network

168s

Command Line

com.xmoo.noface

Signatures

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.xmoo.noface

chmod 755 /data/user/0/com.xmoo.noface/.jiagu/libjiagu.so

chmod 755 /data/user/0/com.xmoo.noface/.jiagu/libjiagu.so

/system/bin/dex2oat --instruction-set=x86 --dex-file=/data/data/com.xmoo.noface/.jiagu/classes.dex --dex-file=/data/data/com.xmoo.noface/.jiagu/classes.dex!classes2.dex --oat-file=/data/data/com.xmoo.noface/.jiagu/oat/x86/classes.odex --inline-max-code-units=0 --compiler-filter=speed

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 172.217.169.14:443 tcp
US 1.1.1.1:53 www.google.com udp
US 1.1.1.1:53 f.appjiagu.com udp
CN 180.163.249.208:80 f.appjiagu.com tcp
GB 142.250.178.3:443 tcp
GB 142.250.187.228:443 www.google.com tcp
CN 106.63.25.33:80 f.appjiagu.com tcp
CN 180.163.249.208:80 f.appjiagu.com tcp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
CN 106.63.25.33:80 f.appjiagu.com tcp
CN 180.163.249.208:80 f.appjiagu.com tcp
CN 106.63.25.33:80 f.appjiagu.com tcp

Files

/data/data/com.xmoo.noface/.jiagu/libjiagu.so

MD5 acd3a64e22c56dc0628edd7615a74ab4
SHA1 ec22ef7fa9dca4b475af2724d483bda140370ca7
SHA256 c57cffd4175fcd618f29d48eeba1b8b30e2bfd4ce9e05c6c5b0bc4378914d008
SHA512 ec93027efd827742d3f9db70c4d4aba51e817191ff888aa2337939f2ce518b98f1c1f7ed3d49d25d3bff47738f68ead6348b1b309c54a17e18c4460cc2142e3e

/data/data/com.xmoo.noface/.jiagu/classes.dex

MD5 f963850443b343123a5521b7100a9eb1
SHA1 9841b70f218bedd0026c3f585a0698da1c8a86e7
SHA256 d6d066261ef4ef0a86ad6c9556e5ab01619f90dd4a9020227fce469f4fabc864
SHA512 3450cdbac91812273c4fd92a96ef3ab1080169e8ba42a5bf855af46197170d4bdc2f7f0008861ab0ccb6171ed9b3d5c3e1996ed87b7e1c115fbbb5f93cda3233

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-18 07:41

Reported

2024-05-18 07:44

Platform

android-33-x64-arm64-20240514-en

Max time kernel

7s

Max time network

132s

Command Line

com.xmoo.noface

Signatures

N/A

Processes

com.xmoo.noface

Network

Country Destination Domain Proto
GB 216.58.201.100:443 udp
GB 216.58.201.100:443 tcp
GB 216.58.201.100:443 tcp
GB 216.58.201.100:443 tcp
N/A 224.0.0.251:5353 udp
GB 142.250.200.35:443 tcp
US 162.159.61.3:443 tcp
US 162.159.61.3:443 tcp
US 162.159.61.3:443 tcp
GB 142.250.179.227:443 tcp
US 162.159.61.3:443 udp
US 34.104.35.123:80 tcp
GB 142.250.179.227:443 udp
GB 216.58.201.100:443 udp
GB 142.250.180.4:443 udp
GB 142.250.180.4:443 tcp
GB 142.250.180.4:443 tcp
GB 142.250.180.4:443 tcp

Files

/data/user/0/com.xmoo.noface/.jiagu/libjiagu_64.so

MD5 50132c32a26a923539d8e33982584fc0
SHA1 627d770948b0df82024a67e8c6e2d24e02c6af42
SHA256 3e29e52a3139ae44e7ce621c3d9bfb9584bfc3280be727b9ead2ae64f831f258
SHA512 adac859261d2b8e868578e941dfa639eff1a4ee95e2930e3b0899db3ff06d31b35eb612c302132e46abbf87611cfbe9f487b0d8f30c403398e8561abfd3a05e9