Malware Analysis Report

2025-08-05 19:09

Sample ID 240518-tggsgsbd4t
Target 559548207cd91eb06040d5b391ef8c48_JaffaCakes118
SHA256 d582d7ddc86593e5410fff46bc799ee32089fd52727b84585cc8fdfb8b987356
Tags
banker collection discovery evasion impact persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

d582d7ddc86593e5410fff46bc799ee32089fd52727b84585cc8fdfb8b987356

Threat Level: Likely malicious

The file 559548207cd91eb06040d5b391ef8c48_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

banker collection discovery evasion impact persistence

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Requests cell location

Registers a broadcast receiver at runtime (usually for listening for system events)

Queries the phone number (MSISDN for GSM devices)

Loads dropped Dex/Jar

Reads the content of the SMS messages.

Reads the content of SMS inbox messages.

Checks CPU information

Queries information about the current Wi-Fi connection

Requests dangerous framework permissions

Checks if the internet connection is available

Reads information about phone network operator.

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-18 16:01

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to monitor incoming MMS messages. android.permission.RECEIVE_MMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-18 16:01

Reported

2024-05-18 16:04

Platform

android-x86-arm-20240514-en

Max time kernel

8s

Max time network

130s

Command Line

com.ygi.hmwjqf

Signatures

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Requests cell location

collection discovery evasion
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getCellLocation N/A N/A

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.ygi.hmwjqf/files/rui/fKHUOiL.jar N/A N/A
N/A /data/user/0/com.ygi.hmwjqf/files/rui/fKHUOiL.jar N/A N/A
N/A /data/user/0/com.ygi.hmwjqf/files/Plugin2.apk N/A N/A
N/A /data/user/0/com.ygi.hmwjqf/files/Plugin2.apk N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Reads the content of SMS inbox messages.

collection
Description Indicator Process Target
URI accessed for read content://sms/inbox N/A N/A

Reads the content of the SMS messages.

collection
Description Indicator Process Target
URI accessed for read content://sms/ N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Reads information about phone network operator.

discovery

Requests dangerous framework permissions

Description Indicator Process Target
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.ygi.hmwjqf

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.ygi.hmwjqf/files/rui/fKHUOiL.jar --output-vdex-fd=44 --oat-fd=45 --oat-location=/data/user/0/com.ygi.hmwjqf/files/rui/oat/x86/fKHUOiL.odex --compiler-filter=quicken --class-loader-context=&

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.ygi.hmwjqf/files/Plugin2.apk --output-vdex-fd=72 --oat-fd=74 --oat-location=/data/user/0/com.ygi.hmwjqf/files/oat/x86/Plugin2.odex --compiler-filter=quicken --class-loader-context=&

getprop ro.product.cpu.abi

getprop ro.product.cpu.abi2

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 app.jtmtht.com udp
GB 216.58.212.227:443 tcp
CN 120.55.89.238:8977 tcp
US 1.1.1.1:53 sdk.qipagame.cn udp
US 1.1.1.1:53 jx.hamofo.com udp
US 1.1.1.1:53 xiafa.hamofo.com udp
CN 118.31.135.201:80 jx.hamofo.com tcp
CN 120.27.184.190:80 xiafa.hamofo.com tcp
GB 142.250.180.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp

Files

/data/data/com.ygi.hmwjqf/files/rui/fKHUOiL.jar

MD5 71a447564ddfedec2d7ccc09404b50de
SHA1 537ca7b2ce9aaf513e217db5560c30add7912494
SHA256 15c29239d04d24790b11e9c6f73b9707013ac1f4473ba2d805268479f0495c2c
SHA512 7e9a1d1b5a8f7529586fb989247b07e2fdb830808740737353d0abcac9a4b5b10f654d634be228ef01cdb6828857017095f11ee2808f0ef46615e46af7b626f8

/data/user/0/com.ygi.hmwjqf/files/rui/fKHUOiL.jar

MD5 ea26cf686a381a188cbbd7e1d6ba25b2
SHA1 c04fbf5cc016306f6395a81984667e51246ae7be
SHA256 eff87c3a9fb2fa80d7b6444f2bbbf60ec418ef043186e362f6256ca6fd166527
SHA512 775d33d0a1a3012b4025c6c3e8457fc6fe92a172270db78b177db3cfd21657d545953f5a2f9ca80dcc3882553c77faac392bd4922f0cdf89fb8eac44580e3d99

/data/user/0/com.ygi.hmwjqf/files/rui/fKHUOiL.jar

MD5 338c4c9ce3fc4648f14fad9b5d23f31c
SHA1 11a05600a57ea58d3711e049ed35a461335f4ee6
SHA256 564b42bf05c402c73dc42edfc75133c2b20ab7178895c2e68c562260fd5ec0bf
SHA512 66cefa3d5effbcd64f9c95b957ff2580a2b7858fb08e0193349becaf657c08e01ab27851fc819ebd9a47929bee8ecc52a7ceafb49ad13b63bee52d947e18fbd9

/data/data/com.ygi.hmwjqf/files/umeng_it.cache

MD5 162913de87cf5e65a0188fd94a97c1e5
SHA1 cb49d9ad5092ef0a9305ac744d1098ed22c303f7
SHA256 03c9bbdc79ae2ca74c2af969b88ffc71f1c1c3b433a04ef9525ea6f628cdea58
SHA512 5fe1ef582e91fa4f5fe2605a2736234e9d0c6264074d0be7288cc0a773d0a41be37705693cfe0c02626c2fec623836282920b208ed0f276b6a0dbe20ee98bc81

/data/data/com.ygi.hmwjqf/files/Plugin2.apk

MD5 3d216f8fddb9705a6720a285475837f1
SHA1 f053d23b284bfe2faf6e76d353ff052471e2de2c
SHA256 de7bf40574754a5144fa5cf3bc5e97f7adc7f5abebb18c41e8f0631917db4c0c
SHA512 38be39da8f96abc87109cfd57b2d63ddfa72971f023024a5b4ce1f97cd905a96a94e19eea19ae9b745f28d02c6689a4473627ce57ec85dce2018a77e699620cb

/data/user/0/com.ygi.hmwjqf/files/Plugin2.apk

MD5 2a425e0fae74f20a2c475da937a619a2
SHA1 4d701c7e6d828aa96ba8a493720e7282c49ec741
SHA256 2c61a25f1ad5783bf82eea9faa2536cac4788ed3147bc1864d9ef17ea01be6a7
SHA512 44c8d2a837b606de99055badbd4b5e708424ca9809b1583d13aefadc4d4af974658dc3a3f179fc3047eef7167151c638ff66dd6c8d38121b6ecdfb464d2a5a60

/data/user/0/com.ygi.hmwjqf/files/Plugin2.apk

MD5 ef019d14367b7346b1ae2419e9d445c8
SHA1 23d81fcf81f3a9f2a991ba4d0d135fe2a28aa188
SHA256 1d83642ede6b16a071676e895f547d056543b5b4622bbc9b9b4ab45e47bf9ba0
SHA512 ea582f21c6054c37c679c798e93116c9c18c9544c0feb78fb949bed7b2cd3122c8d7bb8ecef329829c2531764abeb6200f0af49ede97c3b0b7448bdb65a34a60

/data/data/com.ygi.hmwjqf/databases/wochi_v4.db-journal

MD5 17b7fe4b0ed89744361706a313cedfe2
SHA1 0e3155c487ce4f8e311e922b2cba207b581445b5
SHA256 f3a41e88dc6f755785bf453434d356c5aa16d15feaa2215eede75380d2b5a9aa
SHA512 1ff99854913d5384c659e5e7a3d59343d1ee48e8588dd82d6201e1a2470dbd6b35dfddc9b4f7d87553a2782eee90ff3eca89adbfc3b21b2cd5222021ff9c9a8f

/data/data/com.ygi.hmwjqf/databases/wochi_v4.db

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.ygi.hmwjqf/databases/wochi_v4.db-shm

MD5 cf845a781c107ec1346e849c9dd1b7e8
SHA1 b44ccc7f7d519352422e59ee8b0bdbac881768a7
SHA256 18619b678a5c207a971a0aa931604f48162e307c57ecdec450d5f095fe9f32c7
SHA512 4802861ea06dc7fb85229a3c8f04e707a084f1ba516510c6f269821b33c8ee4ebf495258fe5bee4850668a5aac1a45f0edf51580da13b7ee160a29d067c67612

/data/data/com.ygi.hmwjqf/databases/wochi_v4.db-wal

MD5 d72f0ffbe332ee8e6e81b6347406ba53
SHA1 6483f01d48b1586b4837175f4184bd736b3bb009
SHA256 c96d2f0c130548a44c5b1432eb8a12f7dbc2f65647209e5c25325c0d873c3d5b
SHA512 bb19a9cac79a8a83cde63d10e1fc8e027ecacc5987b50c7cae8f78d408bcbfa6e13652c80b9d2ba0ee823fbeccd34ebaa89f3c17f9330885f885062c7b2703dc

/data/data/com.ygi.hmwjqf/files/log.dat

MD5 ff9229f8e7c92d44d48e25206d43b021
SHA1 be3d75050c16c5b7484652ba292fdd6510f205d3
SHA256 77fc3599be409f7e73e643de843c0ebcfa20662964c498fc59e245c7f5e003a2
SHA512 be7b3aa8d670a2873c6b7bfd4ca93121fd2450723cbbc36d9d06d152fafa3ce90451f0a60ab56bc96bccb81cf5aae0167b404073db14dc17b9513ac73d455c58

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-18 16:01

Reported

2024-05-18 16:01

Platform

android-x86-arm-20240514-en

Max time network

5s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-18 16:01

Reported

2024-05-18 16:01

Platform

android-x64-20240514-en

Max time network

6s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-05-18 16:01

Reported

2024-05-18 16:01

Platform

android-x64-arm64-20240514-en

Max time network

7s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A