Malware Analysis Report

2025-08-10 23:58

Sample ID 240518-kqz6racd67
Target 53eb5b9ca3430299c42da952ce634f4a_JaffaCakes118
SHA256 1e65987c63389d24af9551cbad99ce69461a6ab6f2cdff434fbf968f0a8ea10b
Tags
persistence discovery evasion impact
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

1e65987c63389d24af9551cbad99ce69461a6ab6f2cdff434fbf968f0a8ea10b

Threat Level: Likely malicious

The file 53eb5b9ca3430299c42da952ce634f4a_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

persistence discovery evasion impact

Checks if the Android device is rooted.

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks memory information

Queries information about the current Wi-Fi connection

Queries the unique device ID (IMEI, MEID, IMSI)

Requests dangerous framework permissions

Checks if the internet connection is available

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-18 08:49

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-18 08:49

Reported

2024-05-18 08:52

Platform

android-x86-arm-20240514-en

Max time kernel

3s

Max time network

159s

Command Line

com.fdcz.zsct

Signatures

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Processes

com.fdcz.zsct

Network

Country Destination Domain Proto
GB 142.250.200.42:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 www.google.com udp
GB 216.58.201.100:443 www.google.com tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
GB 172.217.169.66:443 tcp
GB 142.250.179.238:443 tcp

Files

/data/data/com.fdcz.zsct/databases/bugly_db_lejiagu-journal

MD5 d0276a197242806ea33227bf198c42dc
SHA1 290a9dd25d1be28d5504e024b9717f91e9ab9f5b
SHA256 0177f8facbb8b33151fe9f20f890454a9a1bbe17390d0fd4baffbf2a8a212dea
SHA512 e92cf5cb5fc60b0511c3b9968c2237122444c86ca868490891dacd1a82e394e97c8f8d680416d69602a0e0eb810f350b230c340069e39d84164467bc15e5ac9e

/data/data/com.fdcz.zsct/databases/bugly_db_lejiagu

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.fdcz.zsct/databases/bugly_db_lejiagu-shm

MD5 cf845a781c107ec1346e849c9dd1b7e8
SHA1 b44ccc7f7d519352422e59ee8b0bdbac881768a7
SHA256 18619b678a5c207a971a0aa931604f48162e307c57ecdec450d5f095fe9f32c7
SHA512 4802861ea06dc7fb85229a3c8f04e707a084f1ba516510c6f269821b33c8ee4ebf495258fe5bee4850668a5aac1a45f0edf51580da13b7ee160a29d067c67612

/data/data/com.fdcz.zsct/databases/bugly_db_lejiagu-wal

MD5 51565a4ad1654ee0bdfa9455cde05591
SHA1 97c13a60c2e8df4b6c23480cf5658781dbbe15ca
SHA256 224882bb0af4f1cc5e587a6262c74cff548bb8060afaeb5b38c0fb88ab8c6297
SHA512 36badd21c12cd3cb0e713b945e0d65db4ba563b1ea2147019c2a2cd4a9a4552d91de5d0136169c511d735636422e51e004933ede0bcfed50436fbce99ea49490

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-18 08:49

Reported

2024-05-18 08:52

Platform

android-x64-20240514-en

Max time kernel

11s

Max time network

190s

Command Line

com.fdcz.zsct

Signatures

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /system/app/Superuser.apk N/A N/A

Checks memory information

evasion discovery
Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.fdcz.zsct

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.204.72:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 android.bugly.qq.com udp
CN 14.22.7.199:80 android.bugly.qq.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
GB 142.250.200.46:443 tcp
GB 172.217.16.228:443 tcp
GB 172.217.16.228:443 tcp
GB 172.217.169.42:443 tcp
GB 172.217.169.42:443 tcp
GB 216.58.213.14:443 tcp
GB 142.250.200.2:443 tcp

Files

/data/data/com.fdcz.zsct/databases/bugly_db_lejiagu-journal

MD5 74b4ab2a9a52c2c804a6c9cdeb51d179
SHA1 e3f22fc0b06135b8d52fa108ca6a7196422d18ae
SHA256 eab70a08b31200ebc8914b51131ea251cb7c7ec3dc9c768f2457346e21e4d1b9
SHA512 6703ef49914287e7eef1d80ccb7653c40b46afaa959b79e3b2b3bdebfae84d2539912be6326dc830e4b791a9e75d88154db668e47a4f230e235e5f23e74677f3

/data/data/com.fdcz.zsct/databases/bugly_db_lejiagu

MD5 d0c3a96fd4613bbe9a7f08f67817fe9f
SHA1 b709da4d43d8d5d6b82404b7745a74521396dcdb
SHA256 bd8887e69c9750093b5807720db7a91340ea0dbda08373b81a9835e391a0d5f8
SHA512 f6e196a698f3b041df76195ed2556c40c63fcd682ff094c600b64b3463b8ea8b270a1b53703e930a0f86771793bc9936c512eb76fae702f739140dbca71bcb42

/data/data/com.fdcz.zsct/databases/bugly_db_lejiagu-journal

MD5 9088412642126827ecee2db22c8ee637
SHA1 1fe347e00f46c65fc94ca688332b604ab2196246
SHA256 d1b670f6b7b676e4c591eafe992ac6ecf73790c5dd89eccbd5e17d251c703993
SHA512 b7b7508ff1c573e98bbf7f598fe3dcaae69fedba5ab94627539e24158d76dc34d4fe2d28547d47ef1f7eb0b08110825682d8eb7e103e71b668991833d4a03899

/data/data/com.fdcz.zsct/databases/bugly_db_lejiagu-journal

MD5 bc891a8d8dfc26fa24262bceef1aefc1
SHA1 e886f53f8aa8ba465af95febfdb6ec660adb7ad8
SHA256 15f430f2c85f3d01792d2c6742d964029d5c11268329414ca04f8ec3a56a6725
SHA512 da9bafc4628f0c6a262771f95959027a48034b8812b5a0886719a79e2a5fb4c57d954ce02c92b1a2d40cf5a6508868ea0441f8bedb4890ccdbfb8e4ab51f338b

/data/data/com.fdcz.zsct/databases/bugly_db_lejiagu-journal

MD5 29837506cf8ed74f091383df8c997311
SHA1 6c06cde0bfacf5ce27552416527b8643ccbe816a
SHA256 dc39926cd7cf8767be4aca982c21eae5dab308f3248c4c29c89d6bcdac7dade3
SHA512 f582dc8c58a69482683bfee9fbab97efb269ba8a7762282c104e2f61006159e2ad50db6eb978293b52ffb39dff7ec16dd5c273acc9565f369db580ddb0e71011

/data/data/com.fdcz.zsct/app_bugly/tomb_1716022159227.txt

MD5 bd0f8f8f3ad93fa07623422ec6e72003
SHA1 c3589295e7a4ddcf35bcd7a2c13bfd381783821a
SHA256 7fe875398dea7537a57a77c5275cbc8647aaf63ab6fd9148443b65df2e1d0647
SHA512 2ec3e073321262b667afbf98fe4e9f51e4c0c58baaad506b120239031f10699d699b94470bef13007bd6199df3d3b03f1eaf147c0cba5178aee7e267072b1c0b

/data/data/com.fdcz.zsct/app_bugly/rqd_record.eup

MD5 63e7266564f48ced2f09186709ec64fb
SHA1 e06c1e5afad533477cb302447dba7b86b4d575be
SHA256 e023ac7d92012e559c26ae2bf37708abbaf02c2b0419edf2af31e11c19a369da
SHA512 8dddf5f393bc083dddf6f4fe7383b4e49e91a4a468b795c42012268bc36f87b1be90d55c88f986916a682a5009c14902e7178ea5c8ed3a85b68b858a4ba838f1

/data/data/com.fdcz.zsct/app_bugly/rqd_record.eup

MD5 218d70d7431af16487df887fb16c0680
SHA1 46b541860d69fe195242519f6c578f56bdf87bd8
SHA256 aaaafd2aaab766fcc42f71b10d6996334d11e89cd16dba770e311fc8f472217b
SHA512 efb518e27264fde6a42a629aad82bee48d219c95d090dd78a8769ff1b3a246a8ae03c799a342006e21a5fb38dd061fd1c6acfb81b301a18e5d7c2c5a6e955ce9

/data/data/com.fdcz.zsct/databases/bugly_db_lejiagu-journal

MD5 fc9100ba630147674a5e2e2b4ecc786d
SHA1 1c3ab999bc9e5765f2361ded64481fe4306448cc
SHA256 d88c72a6bbe7e55fb09985757cdfc0831ca9966c7ceb30ddd1819c0fa3fafe39
SHA512 d1327bc2d021c2bb3ca5503af482b3749c85a84962860ca2d88c5acf3b68ce271e981fb47d3869009d44428f4fca96410d0257aeb8f2c2e9886489c13d74c053

/data/data/com.fdcz.zsct/databases/bugly_db_lejiagu-journal

MD5 366f1fed615da343413daca1b7a63ded
SHA1 e9e2d9350ab1f2fe8ec9ac833cf396ced1361b21
SHA256 1f310a7ee19245706d1e68b8e13fec4b9039c962b2c67770fca257687964c1e5
SHA512 74acf887a4d6c6fc78b82d7cc729873a71a411aa118f77146afa3e7c64a02fe9288930766b0758e1bbac996c9a4f09aa6c0b9d446f7b368e5438539a697acff3

/data/data/com.fdcz.zsct/cache/tomb.zip

MD5 61e4f945ebd12ba8d5bc2be6c046ab44
SHA1 42b5b887957995045898a7f69bf94d7420893a85
SHA256 7c22d681a92e2303f4a387a1c005144516397a343566e88aab1207f83f7f6e0d
SHA512 f467ff07de63dd6493e8c30b2de11d58b0a925057e2aea8346dbcade372b7ef03e086c2e4cf025cb113c7ce7779806ca0a2a8f500917e6540eb3bf5b9ddaa842

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-18 08:49

Reported

2024-05-18 08:52

Platform

android-x86-arm-20240514-en

Max time kernel

7s

Max time network

150s

Command Line

com.alipay.android.app

Signatures

N/A

Processes

com.alipay.android.app

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.200.3:443 tcp
GB 142.250.180.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp
GB 142.250.187.206:443 tcp

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-05-18 08:49

Reported

2024-05-18 08:52

Platform

android-x64-20240514-en

Max time kernel

8s

Max time network

132s

Command Line

com.alipay.android.app

Signatures

N/A

Processes

com.alipay.android.app

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.204.72:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.201.110:443 android.apis.google.com tcp
GB 142.250.187.206:443 tcp
GB 172.217.16.238:443 tcp
GB 142.250.179.226:443 tcp
GB 142.250.178.4:443 tcp
US 1.1.1.1:53 www.google.com udp
GB 142.250.200.36:443 www.google.com tcp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-05-18 08:49

Reported

2024-05-18 08:49

Platform

android-x86-arm-20240514-en

Max time network

6s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-05-18 08:49

Reported

2024-05-18 08:49

Platform

android-x64-20240514-en

Max time network

7s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-05-18 08:49

Reported

2024-05-18 08:49

Platform

android-x64-arm64-20240514-en

Max time network

7s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A