Malware Analysis Report

2025-08-10 13:11

Sample ID 241016-e3zg4awhnr
Target 4b651f6213ef02293d573d342f56ddef_JaffaCakes118
SHA256 84e2473456b03bff8b811d33e0f7b10d49eb2f47fef8708dd66a6294f43ad040
Tags
collection discovery evasion persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

84e2473456b03bff8b811d33e0f7b10d49eb2f47fef8708dd66a6294f43ad040

Threat Level: Shows suspicious behavior

The file 4b651f6213ef02293d573d342f56ddef_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

collection discovery evasion persistence

Queries the phone number (MSISDN for GSM devices)

Requests cell location

Reads information about phone network operator.

Queries the unique device ID (IMEI, MEID, IMSI)

Requests dangerous framework permissions

Queries information about active data network

Registers a broadcast receiver at runtime (usually for listening for system events)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-16 04:28

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-16 04:28

Reported

2024-10-16 04:31

Platform

android-x86-arm-20240624-en

Max time kernel

145s

Max time network

131s

Command Line

netmask.solve

Signatures

Queries the phone number (MSISDN for GSM devices)

discovery

Requests cell location

collection discovery evasion
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getCellLocation N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Processes

netmask.solve

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 aos.gw.youmi.net udp
US 1.1.1.1:53 stat.gw.youmi.net udp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.178.14:443 android.apis.google.com tcp

Files

/data/data/netmask.solve/files/E2FDAA28C7344D2F9FAA4A0FEC1296AA

MD5 67342d7ee50cd8ff12f847fc716096d2
SHA1 102c8fe92d36dcfd6b4bbf2bb357e7004f675209
SHA256 0289d9aa5f328200cd16d2230685ff245fc451d230a2bccf6c5f37e737837687
SHA512 3473acb264d7d3174a7e4986fe308b39f9ce2ef66c9478cc05e939643435e13ab8791f67a8533ef80ced2dd7e964c58afe9504496c43db388de90008946ca2a7

/data/data/netmask.solve/files/E2FDAA28C7344D2F9FAA4A0FEC1296AA

MD5 fae6554264754268eeaa7fe9480d59bc
SHA1 ea6a4816dae200c59eb4f9c2722dccb11409f750
SHA256 bdf81370a4c45c673cf366ee1ccfb886c810aa92293c5d3c6f34adab0cfad907
SHA512 45b6bb597cf9f5ae41c69a798c23fbfe446097b7acd073e216ce00e321a5a1a88acf796dcade2d142328c976ad8609ff029f3bde1dc4e9e1b8be257109220eb3

/data/data/netmask.solve/files/E2FDAA28C7344D2F9FAA4A0FEC1296AA

MD5 3b4f50cae806d3700eebd2f16ca7873e
SHA1 6d04af70b123174a7373c65e0e0e92bd6c49d985
SHA256 4cf505d76290ec59a104a11ae867084c7682b6ff24e5b453961b80cb3fab79bd
SHA512 22aee4e005db7db7289558b4885b2d7b48720c504464a7a6923d576e4d9a840ead778326044fd93c826e4b71662f3a278f65b8a04945c393252004faf3dae1ba

/data/data/netmask.solve/files/E2FDAA28C7344D2F9FAA4A0FEC1296AA

MD5 4f27727eba86e944451d33cf0ab798f7
SHA1 2722f849fe2d2537e215163d55c1e4c9e6b37655
SHA256 8b0e38219ac366875db632e7da067fe00ede7d1e022591dba432b0b465dcdd6d
SHA512 00e2cacb53364032f4077e6c7f1852bd7cb78fd48bc789fba0d4142b2e4f08e0a5c2376cd564656a1c2f0d137640db7fa36addcea387e0c2ea7b79e0f992671f

/data/data/netmask.solve/files/E2FDAA28C7344D2F9FAA4A0FEC1296AA

MD5 d781f164c36ac02b5e07e90ca8fc9b60
SHA1 d8c69c7a5fc11d8639c93c3c2b1e975c024bc37b
SHA256 0c68ba80cd5efe1437a22ae7325559c34132f9fbe50d2f7e0a55221d86418c37
SHA512 69669f5b9de4913a58c1b65a4e19cb158df9280775b6f5b32f049eb7b043843933dd338578ef5545d10e7056ef7ff85a8853c91507249f497e422c3a77b2188a

/data/data/netmask.solve/files/E2FDAA28C7344D2F9FAA4A0FEC1296AA

MD5 368ba5dfe70cda9adc0cb6f0dc77b0d1
SHA1 dd5adf90e1ee9ebf3540f1f3201db73b3d3baaf6
SHA256 6b9642579111bbb79a6c57943c1d22712db08a1eb771140aa7d0059146957997
SHA512 9d6c0e97bd461cb42d175322e63f66346f00c5948e932286b67f75b99006b02b6f5e497befd17fafa8bb0505bdaf4a95f1705424ab342f72137c2f192ef60405

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-16 04:28

Reported

2024-10-16 04:31

Platform

android-x64-20240624-en

Max time kernel

144s

Max time network

156s

Command Line

netmask.solve

Signatures

Queries the phone number (MSISDN for GSM devices)

discovery

Requests cell location

collection discovery evasion
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getCellLocation N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Processes

netmask.solve

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 aos.gw.youmi.net udp
US 1.1.1.1:53 stat.gw.youmi.net udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.200.40:443 ssl.google-analytics.com tcp
GB 142.250.179.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.180.14:443 android.apis.google.com tcp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 tcp

Files

/data/data/netmask.solve/files/E2FDAA28C7344D2F9FAA4A0FEC1296AA

MD5 e4af8de4a8ba39ab290ab74c74f28b8c
SHA1 c32976a27fedbc030c5dadd18441ad88bd198b53
SHA256 ed5e99f14c42a8ec5065981a85099ab5b4d4103cc34fb108ae227b40d76b053f
SHA512 67dca4c71202eeb70266d28842d902699100ac4bf3269123c9915ab660ed99b4319cbe7c9661183816a2186d574d21de13e5664b1fe2bc955626fae8f5f44156

/data/data/netmask.solve/files/E2FDAA28C7344D2F9FAA4A0FEC1296AA

MD5 3f1789f793e95397959f7d6d49401e71
SHA1 38c1677e10f4cb3fdc45bc374e3e577cc8d61cc7
SHA256 96bbc30550c6e26f98bfe55f69d28188d3fecc70b2c2ab7cd09e8132b9a07a8e
SHA512 6aefae1278eabc76d0cad8d4646f96169d7375e44824888e1842b82d690c46dbc5cc76daccd7600d34a9a099ca36ab383453bfc08e3aa3960c8551a06a3529cc

/data/data/netmask.solve/files/E2FDAA28C7344D2F9FAA4A0FEC1296AA

MD5 ea5ce4ef02daa9bebc3ba3507981d1b5
SHA1 528c672657d4cc7533231c0f00671c2736f3672d
SHA256 d69578580107df847ffd757cbeb923244066751278faecfc70b8ec55b1378b56
SHA512 1e00406b794f5388dc87e7bd01fddb8d92fde1b8a5a9d1cfcda75fb1f449daa36f6a2dbbaab3b264df5771c6098487ed3cc50df724dc70e6f928fb7a836878b0

/data/data/netmask.solve/files/E2FDAA28C7344D2F9FAA4A0FEC1296AA

MD5 7af2b09726ea9bde0b9e557804d00dbc
SHA1 df890cdb024364fb4b5872d7bb386ac412d1418d
SHA256 ca828f27009e3ea5045b7fecc951626072d63cb56ff2a7897f7521ec77d11747
SHA512 061a3d48a0b6b121ae9a34ae6c5b12680d500912444387b42c42f9953958c72ce3499c3c87de34b8bb84261ae8790e96efa13f9ba29565689e4deec03303eb91

/data/data/netmask.solve/files/E2FDAA28C7344D2F9FAA4A0FEC1296AA

MD5 8e7229a8572fbb0e09227588d73c5e0f
SHA1 25384816866707e88c7a95643dc90a6968caa662
SHA256 deb43794f40e5baf0abedb2cdc8167d250c8c303a066ab63a88ce828263505e3
SHA512 b3eaf44a2e798e9687efc5fff889c3dffb3fa225b71e9f83d5ef26765ccd7f4348362deb888b745c94a8a9407bd48342571a481e487f9ddef5425b3b06657c15

/data/data/netmask.solve/files/E2FDAA28C7344D2F9FAA4A0FEC1296AA

MD5 70d4f00328e6c296095895fc75b732d4
SHA1 e6d1ac3ae9ef3cbfaf21a36bf90502b80ba44ef3
SHA256 9fda0608e071f8b74b57fc334acd79451c00026d770304feebaf04b87a25b638
SHA512 859c3883ac0e153aff31e90223773ee9cbfdef92a5fecd3c931bd241ce916df94e34e99b56e83280b7ea5921b91f3da99f6a2663413bb189b6bc723280cadc4c

Analysis: behavioral3

Detonation Overview

Submitted

2024-10-16 04:28

Reported

2024-10-16 04:31

Platform

android-x64-arm64-20240624-en

Max time kernel

144s

Max time network

132s

Command Line

netmask.solve

Signatures

Queries the phone number (MSISDN for GSM devices)

discovery

Requests cell location

collection discovery evasion
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getCellLocation N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Processes

netmask.solve

Network

Country Destination Domain Proto
GB 216.58.212.238:443 tcp
GB 216.58.212.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.204.78:443 android.apis.google.com tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.180.14:443 android.apis.google.com tcp
US 1.1.1.1:53 aos.gw.youmi.net udp
US 1.1.1.1:53 stat.gw.youmi.net udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.180.8:443 ssl.google-analytics.com tcp
GB 142.250.187.228:443 tcp
GB 142.250.187.228:443 tcp
US 1.1.1.1:53 www.google.com udp
GB 142.250.187.196:443 www.google.com tcp

Files

/data/user/0/netmask.solve/files/E2FDAA28C7344D2F9FAA4A0FEC1296AA

MD5 7cfdd5650d93db22a52568407b88c96d
SHA1 b9375761f575e48aab7b3d7b96c41b039ebb64ac
SHA256 5f41425d089f39cd1e8d46c0e89bc108d7423021f0371e4d1bc1f9c00e7f7737
SHA512 1b507b1942636c452a2d7d2e6c5691d1c54427618658f2f6830925c61ed25d57712804461016bf1f16c699605168667d4f3d403be129fe5e07a1e617831e2681

/data/user/0/netmask.solve/files/E2FDAA28C7344D2F9FAA4A0FEC1296AA

MD5 d9c29ccd8be7e4b9f49f62c640a4e857
SHA1 b42c14352ff80bd07379b9de4dff0adddf60345b
SHA256 0a1e21c76505b5c044b63a3f115e74f8287758516c88b69d14f416c18fab69a8
SHA512 1c48fad122cd856039fb98d31e055b2a97e34772dc7feeb2726c5398c62e96fbd13bc9d2ba6993e2cf1cc7c99e97b6648394bfb21e6a1cac33b85635bb421d0a

/data/user/0/netmask.solve/files/E2FDAA28C7344D2F9FAA4A0FEC1296AA

MD5 8cbd08a2b67df5814f5d04878c1c5f5b
SHA1 112e409fe5e934eaa9d047c3c6ae73b9f39b4450
SHA256 5890d1530431c84579a17155c9410befedb4ec79080b3882cfe6afbbb9453e82
SHA512 c21c923cc8720677741b4a08f93140b353dfdf3a905c51c5e30955b452f4abf971e97bc4dd6cacb24f313962b92a4e4831a72450f9174d948fdeb3985c06c1e8

/data/user/0/netmask.solve/files/E2FDAA28C7344D2F9FAA4A0FEC1296AA

MD5 b7698b0375b9b9e809d364d60ce4574c
SHA1 f2522e8962907a42d906edc75f5f0ab8bde12de4
SHA256 c8e39cb36f65c6ef9eee4be694f28fd3c806f0c740e474589be090d7679507ce
SHA512 cff307afe4528ef35117664c3203d4dfb75e38bc19958bf99c7ccf34e8f7112c075f13e6f51feca511e0de65ae8e837cc00129498177d6f92d65f74cdf85de1d

/data/user/0/netmask.solve/files/E2FDAA28C7344D2F9FAA4A0FEC1296AA

MD5 220e9d732527bb1549cc1c82e4f25254
SHA1 56f17de8c03ad583fb6490c8ef05b109f8101930
SHA256 dc4884bdd0bc29b8345d2fec67272a41bc415948ddc488f296b6a7d70152eb8f
SHA512 6119a9963436a166263cdbe63fa92a9cddaedb97182d722581c8745aad8709002bf60146f4197ed2b774e63c7c1de95b9fae57b88f04483d2c7fde3b7d61f287

/data/user/0/netmask.solve/files/E2FDAA28C7344D2F9FAA4A0FEC1296AA

MD5 8432c75adccfe042073fc15ddd586827
SHA1 8c55491fe1db36632a1e3157f4ad7319a7db09cc
SHA256 c94adab71fa7237e93b6d1c1f2404dc4507a1c7bede9fb80587d6d9ca5475486
SHA512 62aea8580860c3d85955e7d4d9df794461d71d18cfefc0675d2472decdf9105c9df158b701a4726d73f5d728b3c7e0870d54f8963ac87a3633cde0f5baf374bc