Malware Analysis Report

2025-08-05 10:12

Sample ID 241017-bdqbcaxann
Target 5002fb5f1daff7468f480004fb81c4d6_JaffaCakes118
SHA256 f02f9b3a9abd8913886f6632e9a2342cca30003b3a6e66d9463f728cf77018e3
Tags
banker collection discovery evasion impact persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

f02f9b3a9abd8913886f6632e9a2342cca30003b3a6e66d9463f728cf77018e3

Threat Level: Shows suspicious behavior

The file 5002fb5f1daff7468f480004fb81c4d6_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

banker collection discovery evasion impact persistence

Queries information about running processes on the device

Queries the phone number (MSISDN for GSM devices)

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Requests cell location

Queries information about the current Wi-Fi connection

Reads information about phone network operator.

Queries the unique device ID (IMEI, MEID, IMSI)

Requests dangerous framework permissions

Queries information about active data network

Uses Crypto APIs (Might try to encrypt user data)

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks memory information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-17 01:01

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-17 01:01

Reported

2024-10-17 01:04

Platform

android-x86-arm-20240624-en

Max time kernel

122s

Max time network

131s

Command Line

com.cool.mytaskkiller

Signatures

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Requests cell location

collection discovery evasion
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getCellLocation N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.cool.mytaskkiller

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 mob.adwhirl.com udp
US 1.1.1.1:53 csapi.adfeiwo.com udp
HK 154.86.204.72:9999 csapi.adfeiwo.com tcp
US 1.1.1.1:53 data.flurry.com udp
US 74.6.138.67:80 data.flurry.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
HK 154.86.204.72:9999 csapi.adfeiwo.com tcp
HK 154.86.204.72:9999 csapi.adfeiwo.com tcp
HK 154.86.204.72:9999 csapi.adfeiwo.com tcp
HK 154.86.204.72:9999 csapi.adfeiwo.com tcp
GB 216.58.204.78:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.180.14:443 android.apis.google.com tcp
US 1.1.1.1:53 ad.veegao.com udp
HK 154.86.204.72:9999 csapi.adfeiwo.com tcp

Files

/data/data/com.cool.mytaskkiller/databases/vdownloads-journal

MD5 02e57d963b233f60b55a515d4a1778b4
SHA1 811f603247040ea132cf2983bf0e0066ba7aa8d2
SHA256 10d9959684baa746dfe3635e48b7eb3d01756d7679494a55cd1a54dc1fae1f6e
SHA512 fef4a8b3ef806db3517e406a1c12a4764d533abdaa696fd670f1d1178681a7aba23f37ef299845c5169ffc9cf9bbe603c62b1759a406435798d4f56103c25a0d

/data/data/com.cool.mytaskkiller/databases/vdownloads

MD5 1a537819a85008672765786587ca9c8f
SHA1 63f450d5148eae7e22ee28050c40c210a903f277
SHA256 3a97a8408d0b03051c54c7f677f0b23778982cd534c0ed9bbd8cd4775281a92b
SHA512 4839fed776fe039304249842e917d0bccc157009ba6ea5dbe66cb65f428074785cdd42740d5cde9d2615ee5acf7ba2206b2ef863609ba1cfb061901995d273d1

/data/data/com.cool.mytaskkiller/databases/vdownloads-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.cool.mytaskkiller/databases/vdownloads-wal

MD5 571fc5d8667b2b32094f6389aff96140
SHA1 6963c7b09e5b78a9c4fb11592faa9d0af0e6d6bf
SHA256 891584a36ed09d99d2a0529fa839a1ac7721271d20dd7d1089229da9681d8495
SHA512 c171767d1ffb706d2f051076b143fc7dc7944c78ae4261f9cf5414f250e22b2a36b1a68aec1be9e71aa6458277b06dabb97085059f329f6535ed4f5526f3d511

/storage/emulated/0/Android/data/code/.vapp.dat

MD5 19236718671c7f0c44534511dc8c9651
SHA1 e720e1b4512c2d08edad7aab5f120baed0459dc1
SHA256 afc7c9707b03c0dff64f0f2d16e29ea8a8d742ff3771caabb411274685120e22
SHA512 e9bd51472c181519703bf1da508b6a21e893284ab9d1fa20761f5a12890d45161c1fa3bdf4a21a579e0930406686cdfd5560a522f3e68b022e8beacbf3e1d8ce

/storage/emulated/0/Download/vgp/clearT.dat

MD5 b1f15b56516db9bf85d834fe77ea7045
SHA1 d12a4d0cabb6af6c53cb8396878858e85344cc78
SHA256 cd868a55640f5db2e62e426e4800aa77eee9bf478e232f59910b590a10144ce3
SHA512 2207d88ac37988ef0b6f365df1af0ef3d040b9689a5fa860d7b27d7a3f971636f00b2f0af67e9c7ace6c4104aca9387bbcc422792344e8e4db1f89f34e03d438

/storage/emulated/0/Android/data/code/KI.DAT

MD5 2b53b6b030d7bdb5da6ea0d501b6a165
SHA1 fa4e9e8d724d91963a3fa3def11790559cac11c1
SHA256 d8209526853a232417c586b6c130ed3ec53af8a2928b95d032ddcee37b4698fc
SHA512 dceddb69f3c907593c47edd56cea3b5cd68e560f020244e6abf9e63c58263d38b36e8736617758f2c5c7292bffd815af44fee3805217aa9065cd143e0599b128

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-17 01:01

Reported

2024-10-17 01:04

Platform

android-x64-20240624-en

Max time kernel

123s

Max time network

147s

Command Line

com.cool.mytaskkiller

Signatures

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Requests cell location

collection discovery evasion
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getCellLocation N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.cool.mytaskkiller

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 mob.adwhirl.com udp
US 1.1.1.1:53 csapi.adfeiwo.com udp
US 1.1.1.1:53 data.flurry.com udp
HK 154.86.204.72:9999 csapi.adfeiwo.com tcp
US 74.6.138.67:80 data.flurry.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.180.8:443 ssl.google-analytics.com tcp
HK 154.86.204.72:9999 csapi.adfeiwo.com tcp
HK 154.86.204.72:9999 csapi.adfeiwo.com tcp
HK 154.86.204.72:9999 csapi.adfeiwo.com tcp
GB 142.250.179.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.212.238:443 android.apis.google.com tcp
HK 154.86.204.72:9999 csapi.adfeiwo.com tcp
HK 154.86.204.72:9999 csapi.adfeiwo.com tcp
HK 154.86.204.72:9999 csapi.adfeiwo.com tcp
HK 154.86.204.72:9999 csapi.adfeiwo.com tcp
US 1.1.1.1:53 ad.veegao.com udp
GB 142.250.180.4:443 tcp
GB 142.250.180.4:443 tcp
US 1.1.1.1:53 www.google.com udp
GB 172.217.169.68:443 www.google.com tcp
HK 154.86.204.72:9999 csapi.adfeiwo.com tcp
GB 216.58.201.98:443 tcp
GB 172.217.169.46:443 tcp

Files

/data/data/com.cool.mytaskkiller/databases/vdownloads-journal

MD5 6c2c0cfc440a0f984baae78893d60023
SHA1 bcf81d63fb764b919babb8bcc896caf89203e1d5
SHA256 cd28312adc7151a43d1220207c5ad646a81c41e3437d98ec482dc38a83dcc817
SHA512 22a989d12c154cf186c877f40deb8a92bdc951c15192d313d72ad005b433ef5a8a36939571d0a6c9265457d792230f80735a39e2a49d64198c92eb1bb46301c2

/data/data/com.cool.mytaskkiller/databases/vdownloads

MD5 9b189529fa9f46f1f64a0c4832be6e8f
SHA1 e8226c2e92047586e7510212afad35c1b6d18be7
SHA256 819dc857f87812e465bd3f14cc8238edfaa4ca9831d33751552d518f6ae846a6
SHA512 c86fdd0f19cd3a0d05cebb1ddbbcfe5bb3a55730700a91cda75334fd14f3be22117868b86cdbfb7762bb6b68f272afe721c6ad42f662328283f58eaaf1f0f388

/data/data/com.cool.mytaskkiller/databases/vdownloads-journal

MD5 0b37838c61656c29f8fb4ba0f03ead82
SHA1 88c4fa91817004137baedfaf059d6462234d2fad
SHA256 466ffeac88650980024d37620450790b9b4674fccafebc91c6cb11e81f50ec70
SHA512 b22ad4c7e9bc592e2554b9f222cf0e4af277f93c75298a362eeb3d403b8d7b8a02ca68f188561b85f1388eb6b094a58508d3c9c646ef5b8696a1a87b2ffd3454

/data/data/com.cool.mytaskkiller/databases/vdownloads-journal

MD5 86a7fbd2ffebe9c3ed1361bac872b659
SHA1 ce4a239266c8fa14d58ecf2830f7a1a01653ee84
SHA256 7ad613841398087ed54b35063dc3ebcbe15e6303e4add25df10da4fb2b330bc4
SHA512 aa6e9242c0721df034a85ea238882a9fc9cad31acf81947a9f97c82bf16aec0239f0f8da9a5231bddba19da6e4585ae7b4cb773fb1519d9dc1471558909a6da3

/storage/emulated/0/Android/data/code/.vapp.dat

MD5 87e6d328014546e0270d63d9d145e27a
SHA1 3718a1b4035a37f461e070e40559d981826c30df
SHA256 4367c5f61cd96e32bd014b24d23e4d720308150d9c101cb711fd8479f39ccbe1
SHA512 4ff2284d97866a4704b3c382034f45e9ed1c29f838982baa85f3bf99e8a918773c17cac409fe870a87440c56ab7b17dbef1b38a20394aed758332b8119b36684

/storage/emulated/0/Download/vgp/clearT.dat

MD5 76dc1c37414d15df0805970269c2d01a
SHA1 b88985647aa28642bc83104e5b0aa3f30170f27e
SHA256 13490eb9a97b802009eeda505b5907a95704eb90adabfcdcf4db73a16673872f
SHA512 00914b2d0d56c80794c7dbd1ccc2a8e375c69a457315de177f5ca4c9030597d6cbcc663e9ccdfe5e7457173282da830f56f134c63db21303327391b033b7bf21

Analysis: behavioral3

Detonation Overview

Submitted

2024-10-17 01:01

Reported

2024-10-17 01:04

Platform

android-x64-arm64-20240624-en

Max time kernel

124s

Max time network

130s

Command Line

com.cool.mytaskkiller

Signatures

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Requests cell location

collection discovery evasion
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getCellLocation N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Reads information about phone network operator.

discovery

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.cool.mytaskkiller

Network

Country Destination Domain Proto
GB 216.58.212.238:443 tcp
GB 216.58.212.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.212.206:443 android.apis.google.com tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.212.238:443 android.apis.google.com tcp
US 1.1.1.1:53 mob.adwhirl.com udp
US 1.1.1.1:53 csapi.adfeiwo.com udp
HK 154.86.204.72:9999 csapi.adfeiwo.com tcp
US 1.1.1.1:53 data.flurry.com udp
SG 106.10.248.146:80 data.flurry.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.178.8:443 ssl.google-analytics.com tcp
HK 154.86.204.72:9999 csapi.adfeiwo.com tcp
US 1.1.1.1:53 ad.veegao.com udp
GB 142.250.187.228:443 tcp
GB 142.250.187.228:443 tcp
US 1.1.1.1:53 www.google.com udp
GB 142.250.200.4:443 www.google.com tcp
HK 154.86.204.72:9999 csapi.adfeiwo.com tcp

Files

/data/user/0/com.cool.mytaskkiller/databases/vdownloads-journal

MD5 f40af0cb577369d85429678cddcb585d
SHA1 a80cfb8d37837f9f11e93f4180b89bac685b23f4
SHA256 3f2520a62b462e5cc4de1b27811187247b2ff0e734630058f98fc52b7df4bd89
SHA512 3ae4acb1552ed3fc473fb80a315e9f16507af12f4c2fc18c760d1416d4f81a9989d21500ae9c7f09eaf78061962638f8ee81d5d0649fef72819f1ccf1454aa8b

/data/user/0/com.cool.mytaskkiller/databases/vdownloads

MD5 8fe2af476c472e00b00179cd96bc0a67
SHA1 4cfe419c184794d1f680ffdbe5d677be93508fd3
SHA256 ea552d058d1a4f131b361e870b53b460c540993b7cc351cebd8b89effaf88402
SHA512 0a3f8638559491cda2158a00c29aeba6f216b42c89a5b3273605431aba2b41c26f1f76ea6b267fcfbbb193d892436a6034ab779e0980cd7035686412a0890b5d

/data/user/0/com.cool.mytaskkiller/databases/vdownloads-journal

MD5 efd1ffe5baf3855d17cfc545718b869e
SHA1 913a55d2cab6f3d086c3fc17f545cdfde9f52833
SHA256 aae042a7bb03d29443b53b14b0847365cda2e027b95ade682da63804ed4a428b
SHA512 fc2b062cab00d49343102584468eb6924e51a65a4f9b0ebf7ea87bf3692a103fd47084ce764ed3a940f740746b21f55a7faafaf0d7a77758dfff866ae0019996

/data/user/0/com.cool.mytaskkiller/databases/vdownloads-journal

MD5 da154c933fbb6f6a1b42ab242e3ab6f7
SHA1 122ae24de17aa3bb32353ff3a1404f1e062ae9b6
SHA256 270c6f85e355b9ae014ecf6fef0d904fa8ec494c3e649e158e2348fc741ff348
SHA512 16e5d6450bc9440ceacb49cc5be52accd27154d2edebdc36edb008ea0a17fe420d0af7e4b7aef379ef81fdd7433c313166b17f9f279d4af9d1aa377640f9bd37

/storage/emulated/0/download/vgp/clearT.dat

MD5 6a174193997db8112b857e9b489c0841
SHA1 3937e851ac34f4e003515b3081c08b6c15dfcac9
SHA256 077b51513fb4dc58c1216e2dfdb7d0ebc0972c2b05e4578652e42fdb24de1c0a
SHA512 84a8410260509205961f8f752035c9e7cfc198817c45022d3b35e7e1518ca459502a60bb721652d5833a560ecfba09ec15b50424a710b520520f22c04c004c2b