Malware Analysis Report

2025-08-06 02:51

Sample ID 241015-z9npdsxgna
Target 4a1417007cce3309e04b28f326953288_JaffaCakes118
SHA256 592fd5f007d203ca288a16161f53dc7ca7bcf84ef431b45c48e42d7d202c0ba9
Tags
collection credential_access discovery evasion impact persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

592fd5f007d203ca288a16161f53dc7ca7bcf84ef431b45c48e42d7d202c0ba9

Threat Level: Shows suspicious behavior

The file 4a1417007cce3309e04b28f326953288_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

collection credential_access discovery evasion impact persistence

Queries the phone number (MSISDN for GSM devices)

Loads dropped Dex/Jar

Reads the content of SMS inbox messages.

Requests cell location

Reads the content of the SMS messages.

Obtains sensitive information copied to the device clipboard

Queries information about active data network

Queries information about the current Wi-Fi connection

Requests dangerous framework permissions

Queries the unique device ID (IMEI, MEID, IMSI)

Queries the mobile country code (MCC)

Reads information about phone network operator.

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks memory information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-15 21:25

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to monitor incoming MMS messages. android.permission.RECEIVE_MMS N/A N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-10-15 21:25

Reported

2024-10-15 21:27

Platform

android-x64-arm64-20240910-en

Max time network

150s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 172.217.169.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.204.78:443 android.apis.google.com tcp
US 1.1.1.1:53 www.youtube.com udp
GB 142.250.180.14:443 www.youtube.com tcp
GB 216.58.204.78:443 www.youtube.com tcp
US 216.239.32.223:443 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.178.8:443 ssl.google-analytics.com tcp
GB 142.250.187.193:443 tcp
GB 142.250.187.225:443 tcp
US 216.239.32.223:443 tcp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-15 21:25

Reported

2024-10-15 21:25

Platform

android-x64-20240624-en

Max time kernel

6s

Max time network

13s

Command Line

com.dajlxc.djzdls

Signatures

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /storage/emulated/0/Android/data/com.lyhtgh.pay/plugins/com.lyhtgh.pay.ltplugin.apk N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Reads the content of SMS inbox messages.

collection
Description Indicator Process Target
URI accessed for read content://sms/inbox N/A N/A

Reads the content of the SMS messages.

collection
Description Indicator Process Target
URI accessed for read content://sms/ N/A N/A

Requests cell location

collection discovery evasion
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getCellLocation N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.dajlxc.djzdls

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ltdt.i51fu.com udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.201.104:443 ssl.google-analytics.com tcp

Files

/storage/emulated/0/Android/data/com.lyhtgh.pay/plugins/com.lyhtgh.pay.ltplugin.apk

MD5 278e8100ea1ee2c466d55451e87cef73
SHA1 8347d2b269f74841ca92cef51d450ed953d73aaa
SHA256 06d08532287fc6a934aba8d5a361eb83e4d7a1c8cde4f6663ab2746e4fc09a38
SHA512 3e7fcf245a07ce8e03a78f75835c30e0b0f270e68987f85b92aa97f7b0894d73702ebdd80372cddea310a52624db1ccf65125399b6bf218dbd717ad053dec088

/storage/emulated/0/Android/data/com.lyhtgh.pay/plugins/com.lyhtgh.pay.ltplugin.apk

MD5 21c7c675b3dc4ba37ecf2e58fec9ccf8
SHA1 16d524195e74f324010e7e5cf5a73e39bf757864
SHA256 7502952614e205d4d5605d0af83169fb70efedc52b0feaa1f9003cbfd830ea93
SHA512 ad3725129013e75c632b383999b7a936beed98418ed7d92d4dd4a5fb9ac7a1f518b4b6444324d5f366f422fe5099f6a54bc7ce62be4f8077ab4957b144b85482

/storage/emulated/0/com/android/system/uid.sys

MD5 44369ec4020a3de1cbb93b91b534fa90
SHA1 796bc8fcdca9a2eb3b80d334b6490dd14f05c78b
SHA256 7803e84ba2109bb973471fc882900c1b54f6945507af7b5bbba9c66531e00fee
SHA512 cb2eed985115f349c244494352cd08fe43068423d6b60e1a9292e800a8c630e099cfc6c68ef88c63d11a8d1302c6fed6ee0413f35f8eaab54bf115050c4595d4

Analysis: behavioral3

Detonation Overview

Submitted

2024-10-15 21:25

Reported

2024-10-15 21:27

Platform

android-x64-arm64-20240624-en

Max time kernel

149s

Max time network

134s

Command Line

com.dajlxc.djzdls

Signatures

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.dajlxc.djzdls/app_lyhtgh/plugins/com.lyhtgh.pay.ltplugin.apk N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Reads the content of SMS inbox messages.

collection
Description Indicator Process Target
URI accessed for read content://sms/inbox N/A N/A

Reads the content of the SMS messages.

collection
Description Indicator Process Target
URI accessed for read content://sms/ N/A N/A

Requests cell location

collection discovery evasion
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getCellLocation N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.dajlxc.djzdls

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.187.206:443 tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.204.78:443 android.apis.google.com tcp
US 1.1.1.1:53 ltdt.i51fu.com udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.204.72:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 pt.cooguo.com udp
US 1.1.1.1:53 int.dpool.sina.com.cn udp
N/A 10.79.217.129:80 int.dpool.sina.com.cn tcp
US 1.1.1.1:53 game.cooguo.com udp
GB 142.250.187.228:443 tcp
GB 142.250.187.228:443 tcp
US 1.1.1.1:53 www.google.com udp
GB 216.58.212.228:443 www.google.com tcp

Files

/data/user/0/com.dajlxc.djzdls/app_lyhtgh/plugins/com.lyhtgh.pay.ltplugin.apk

MD5 278e8100ea1ee2c466d55451e87cef73
SHA1 8347d2b269f74841ca92cef51d450ed953d73aaa
SHA256 06d08532287fc6a934aba8d5a361eb83e4d7a1c8cde4f6663ab2746e4fc09a38
SHA512 3e7fcf245a07ce8e03a78f75835c30e0b0f270e68987f85b92aa97f7b0894d73702ebdd80372cddea310a52624db1ccf65125399b6bf218dbd717ad053dec088

/data/user/0/com.dajlxc.djzdls/app_lyhtgh/plugins/com.lyhtgh.pay.ltplugin.apk

MD5 21c7c675b3dc4ba37ecf2e58fec9ccf8
SHA1 16d524195e74f324010e7e5cf5a73e39bf757864
SHA256 7502952614e205d4d5605d0af83169fb70efedc52b0feaa1f9003cbfd830ea93
SHA512 ad3725129013e75c632b383999b7a936beed98418ed7d92d4dd4a5fb9ac7a1f518b4b6444324d5f366f422fe5099f6a54bc7ce62be4f8077ab4957b144b85482

/storage/emulated/0/com/android/system/uid.sys

MD5 bef6c18ae5595292449ca315afcbba1e
SHA1 7cbf34033990f75a7129ccc0fda7d2ea63705e6e
SHA256 338386cbb4c309fc7b091cbf6a38a37f4d09857c2b95f946ab403a6128ca0414
SHA512 3561093d930ab0b870eb74f48d04e41dc05fa1a07dac679f09b192657229b3603ce421b5e3f7e6c7f5a2587a5171391aa7db6fa20aec1e110e6749f5ff8b7a65

/data/user/0/com.dajlxc.djzdls/app_lyhtgh/plugins/oat/com.lyhtgh.pay.ltplugin.apk.cur.prof

MD5 e5645f1e85d607eb74168300122f2ecd
SHA1 de20fe75e66088b010c118fdbc8732947aa3e301
SHA256 e9216f21d9471db6c74d7641010f6b9b7abfed3fa709f2f6d560651a347477e0
SHA512 32cfbb86ad6818b7be4e4587eae7f48b1f9f513a470ed186e842eb79c22e3d55970c7dfd3f142fbea22d22ae23dbcf3b2c3db2f5491a22038984ad879923b20a

Analysis: behavioral4

Detonation Overview

Submitted

2024-10-15 21:25

Reported

2024-10-15 21:27

Platform

android-x86-arm-20240624-en

Max time network

132s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.169.78:443 android.apis.google.com tcp

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-10-15 21:25

Reported

2024-10-15 21:27

Platform

android-x64-arm64-20240624-en

Max time network

134s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.179.238:443 tcp
GB 142.250.179.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.180.14:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.212.200:443 ssl.google-analytics.com tcp
GB 142.250.187.196:443 tcp
GB 142.250.187.196:443 tcp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-15 21:25

Reported

2024-10-15 21:27

Platform

android-x86-arm-20240624-en

Max time kernel

149s

Max time network

130s

Command Line

com.dajlxc.djzdls

Signatures

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /storage/emulated/0/Android/data/com.lyhtgh.pay/plugins/com.lyhtgh.pay.ltplugin.apk N/A N/A
N/A /storage/emulated/0/Android/data/com.lyhtgh.pay/plugins/com.lyhtgh.pay.ltplugin.apk N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Reads the content of SMS inbox messages.

collection
Description Indicator Process Target
URI accessed for read content://sms/inbox N/A N/A

Reads the content of the SMS messages.

collection
Description Indicator Process Target
URI accessed for read content://sms/ N/A N/A

Requests cell location

collection discovery evasion
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getCellLocation N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.dajlxc.djzdls

/system/bin/dex2oat --debuggable --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --debuggable --generate-mini-debug-info --dex-file=/storage/emulated/0/Android/data/com.lyhtgh.pay/plugins/com.lyhtgh.pay.ltplugin.apk --output-vdex-fd=46 --oat-fd=47 --oat-location=/storage/emulated/0/Android/data/com.lyhtgh.pay/plugins/oat/x86/com.lyhtgh.pay.ltplugin.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
US 1.1.1.1:53 ltdt.i51fu.com udp
US 1.1.1.1:53 pt.cooguo.com udp
US 1.1.1.1:53 int.dpool.sina.com.cn udp
N/A 10.79.217.129:80 int.dpool.sina.com.cn tcp
US 1.1.1.1:53 game.cooguo.com udp
GB 216.58.201.110:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp

Files

/storage/emulated/0/Android/data/com.lyhtgh.pay/plugins/com.lyhtgh.pay.ltplugin.apk

MD5 278e8100ea1ee2c466d55451e87cef73
SHA1 8347d2b269f74841ca92cef51d450ed953d73aaa
SHA256 06d08532287fc6a934aba8d5a361eb83e4d7a1c8cde4f6663ab2746e4fc09a38
SHA512 3e7fcf245a07ce8e03a78f75835c30e0b0f270e68987f85b92aa97f7b0894d73702ebdd80372cddea310a52624db1ccf65125399b6bf218dbd717ad053dec088

/storage/emulated/0/Android/data/com.lyhtgh.pay/plugins/com.lyhtgh.pay.ltplugin.apk

MD5 21c7c675b3dc4ba37ecf2e58fec9ccf8
SHA1 16d524195e74f324010e7e5cf5a73e39bf757864
SHA256 7502952614e205d4d5605d0af83169fb70efedc52b0feaa1f9003cbfd830ea93
SHA512 ad3725129013e75c632b383999b7a936beed98418ed7d92d4dd4a5fb9ac7a1f518b4b6444324d5f366f422fe5099f6a54bc7ce62be4f8077ab4957b144b85482

/storage/emulated/0/com/android/system/uid.sys

MD5 01b7e0a09645544befd01b5dfa11eb44
SHA1 27cc80ddbef513986b2afb0418e02df972c767d8
SHA256 ba6c50deac163098e7e7331cefe565b613f12bcc41114645a770d777252cefef
SHA512 e6de69af69f47d34cd8761bda7884b4ae426c988db29b533570b283adfd3cc0e3ae32859e49c762b52ee32d590ae1e349bc0c3e84634a16d4039a1672e5057ae

/storage/emulated/0/cooguo/data/code/CG.DAT

MD5 f9b4c184acb79fd4c8252cd6e88d8050
SHA1 cf665327477e78bda68ef595426f16ceb30b990c
SHA256 9b76574309fba347747f19e525f9d0ced2863648c1263dc9d8143fa5cd1bc8c1
SHA512 2d02162c1a8ec6c7fe48eda339970cf0d0603d0133f42cc1182df2f93053ee9ffd7d6fac4cc84e2443dd3164f893cac70b767ab04e8f8527a61f1d784dc4102a

Analysis: behavioral5

Detonation Overview

Submitted

2024-10-15 21:25

Reported

2024-10-15 21:27

Platform

android-x64-20240624-en

Max time network

148s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.169.8:443 ssl.google-analytics.com tcp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.179.238:443 android.apis.google.com tcp
GB 142.250.187.228:443 tcp
GB 142.250.187.228:443 tcp
GB 216.58.213.14:443 tcp
GB 142.250.178.2:443 tcp

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-10-15 21:25

Reported

2024-10-15 21:27

Platform

android-x86-arm-20240910-en

Max time network

144s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 172.217.16.238:443 tcp
GB 172.217.16.238:443 tcp
GB 216.58.212.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp
GB 172.217.169.74:443 tcp

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-10-15 21:25

Reported

2024-10-15 21:27

Platform

android-x64-20240910-en

Max time network

150s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
GB 142.250.200.42:443 tcp
N/A 224.0.0.251:5353 udp
GB 216.58.212.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.178.8:443 ssl.google-analytics.com tcp

Files

N/A