Malware Analysis Report

2025-08-10 13:10

Sample ID 241016-cvagwssbqn
Target 4b02fe08b3053a774b94e09d39c65102_JaffaCakes118
SHA256 0d634132ba38a82cebabd6ab3e695f80d8d537cf42ef70f232659e9a4d3f8896
Tags
collection discovery evasion impact persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

0d634132ba38a82cebabd6ab3e695f80d8d537cf42ef70f232659e9a4d3f8896

Threat Level: Likely malicious

The file 4b02fe08b3053a774b94e09d39c65102_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

collection discovery evasion impact persistence

Checks if the Android device is rooted.

Queries information about running processes on the device

Queries the phone number (MSISDN for GSM devices)

Requests cell location

Queries information about active data network

Queries information about the current Wi-Fi connection

Requests dangerous framework permissions

Listens for changes in the sensor environment (might be used to detect emulation)

Registers a broadcast receiver at runtime (usually for listening for system events)

Uses Crypto APIs (Might try to encrypt user data)

Checks CPU information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-16 02:23

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to monitor incoming MMS messages. android.permission.RECEIVE_MMS N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-16 02:23

Reported

2024-10-16 02:25

Platform

android-x86-arm-20240624-en

Max time kernel

5s

Max time network

137s

Command Line

com.dsf.grg.hthjhdx.gg.youtou

Signatures

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /system/app/Superuser.apk N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Requests cell location

collection discovery evasion
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getCellLocation N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Listens for changes in the sensor environment (might be used to detect emulation)

evasion
Description Indicator Process Target
Framework API call android.hardware.SensorManager.registerListener N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A
File opened for read /proc/cpuinfo N/A N/A

Processes

com.dsf.grg.hthjhdx.gg.youtou

/system/bin/cat /proc/cpuinfo

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 api.guomanni.cn udp
US 1.1.1.1:53 api.jxmei.net udp
CN 139.196.191.233:6600 tcp
US 1.1.1.1:53 api.fujicon-yf.com udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.179.238:443 android.apis.google.com tcp

Files

/data/data/com.dsf.grg.hthjhdx.gg.youtou/databases/xUtils_http_cookie.db-journal

MD5 33cd3df91d9b2402ca99607172f95dbc
SHA1 a66fe2e5e3b21668af8ce7805c05e144e213a27d
SHA256 5bab268d40710e05a69a195ffee1d9189637a83a06b32baf26149981bce6b939
SHA512 daa0253dd115e8b8ccb17ddc1717725b15b1d12b5d2b54ffb3a7197a97a0b377ce2c0204c5d00b57004db276640730bb3d2c7c86ee332df2fce3ad2e7d7d4ab4

/data/data/com.dsf.grg.hthjhdx.gg.youtou/databases/xUtils_http_cookie.db

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.dsf.grg.hthjhdx.gg.youtou/databases/xUtils_http_cookie.db-shm

MD5 cf845a781c107ec1346e849c9dd1b7e8
SHA1 b44ccc7f7d519352422e59ee8b0bdbac881768a7
SHA256 18619b678a5c207a971a0aa931604f48162e307c57ecdec450d5f095fe9f32c7
SHA512 4802861ea06dc7fb85229a3c8f04e707a084f1ba516510c6f269821b33c8ee4ebf495258fe5bee4850668a5aac1a45f0edf51580da13b7ee160a29d067c67612

/data/data/com.dsf.grg.hthjhdx.gg.youtou/databases/xUtils_http_cookie.db-wal

MD5 6c1ef98473b738902f9f033ca6f8351f
SHA1 86c414d51d94878e3ad829fd71d37653bfa1cbe8
SHA256 fee56bf42135ec7e879378fe9831e862990ea62e60431e70c6df3db969cb11dc
SHA512 7d99f86648664350ba839e88cc247d008a224dea81c46509134375e9849cf85c5ef4f4deb351fb3648bdbbf6561206f4b45949e7f9ae4d889f01707e32c4ddb7

/data/data/com.dsf.grg.hthjhdx.gg.youtou/files/jinmd.jar

MD5 5ebc59044d0a8b9bca9e700e33d3a84d
SHA1 19c85b346bcfd71016427bd1d02dcff956a01a69
SHA256 3acc5a70182c9e323d9153d0a00930a6b6662b846b2c3ba59ec554fdb238eb89
SHA512 f42e1316b5b4f5f0dd6e35d0eb7f4a4eb9fc8aec0aa779dbe38458c8663a6fcc09ab9f8c37c9d2e858e1c5f40bb6191e9b22bba700b50c1d1cc4b55d736ca692

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-16 02:23

Reported

2024-10-16 02:23

Platform

android-x86-arm-20240624-en

Max time network

4s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-10-16 02:23

Reported

2024-10-16 02:23

Platform

android-x64-20240910-en

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

N/A

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-10-16 02:23

Reported

2024-10-16 02:23

Platform

android-x64-arm64-20240624-en

Max time network

6s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A