Malware Analysis Report

2025-08-11 07:10

Sample ID 241017-pfvkqsxajd
Target 5206349eb404d2354beeff09e62e7490_JaffaCakes118
SHA256 85337950be8c219d72af0798f0ef27430606398131f28454149a8d06732d6d82
Tags
banker discovery impact persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

85337950be8c219d72af0798f0ef27430606398131f28454149a8d06732d6d82

Threat Level: Shows suspicious behavior

The file 5206349eb404d2354beeff09e62e7490_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

banker discovery impact persistence

Queries the phone number (MSISDN for GSM devices)

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Queries information about the current Wi-Fi connection

Queries the mobile country code (MCC)

Reads information about phone network operator.

Requests dangerous framework permissions

Queries information about active data network

Registers a broadcast receiver at runtime (usually for listening for system events)

Uses Crypto APIs (Might try to encrypt user data)

Checks CPU information

Checks memory information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-17 12:16

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-17 12:16

Reported

2024-10-17 12:19

Platform

android-x86-arm-20240624-en

Max time kernel

131s

Max time network

137s

Command Line

com.vbplon.laedinpr

Signatures

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Description Indicator Process Target
N/A alog.umeng.com N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.vbplon.laedinpr

getprop apps.customerservice.device

getprop apps.customerservice.device

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 www.57c09796-b18d-422e-9c7c-c9a9f6a77964.mycool.xyz udp
US 13.248.252.114:8091 www.57c09796-b18d-422e-9c7c-c9a9f6a77964.mycool.xyz tcp
US 1.1.1.1:53 www.c52cf203-55c7-46f2-931a-f2154787a937.mycool.xyz udp
US 13.248.252.114:8091 www.c52cf203-55c7-46f2-931a-f2154787a937.mycool.xyz tcp
US 1.1.1.1:53 bdsp.x.jd.com udp
US 1.1.1.1:53 www.d996a17f-e90d-4a5c-b64f-ea13f36d3984.mycool.xyz udp
CN 111.13.28.191:80 bdsp.x.jd.com tcp
US 13.248.252.114:8091 www.d996a17f-e90d-4a5c-b64f-ea13f36d3984.mycool.xyz tcp
US 1.1.1.1:53 ip.taobao.com udp
CN 59.82.121.73:80 ip.taobao.com tcp
US 1.1.1.1:53 www.wosdk.cn udp
US 38.33.59.28:80 www.wosdk.cn tcp
US 1.1.1.1:53 www.e512f15d-8804-45de-b423-7467d1dbe20a.mycool.xyz udp
US 13.248.252.114:8091 www.e512f15d-8804-45de-b423-7467d1dbe20a.mycool.xyz tcp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.177:80 alog.umeng.com tcp
US 99.83.138.213:8091 www.e512f15d-8804-45de-b423-7467d1dbe20a.mycool.xyz tcp
US 99.83.138.213:8091 www.e512f15d-8804-45de-b423-7467d1dbe20a.mycool.xyz tcp
US 99.83.138.213:8091 www.e512f15d-8804-45de-b423-7467d1dbe20a.mycool.xyz tcp
US 99.83.138.213:8091 www.e512f15d-8804-45de-b423-7467d1dbe20a.mycool.xyz tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.213.14:443 android.apis.google.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
US 13.248.252.114:8091 www.e512f15d-8804-45de-b423-7467d1dbe20a.mycool.xyz tcp
US 13.248.252.114:8091 www.e512f15d-8804-45de-b423-7467d1dbe20a.mycool.xyz tcp
US 13.248.252.114:8091 www.e512f15d-8804-45de-b423-7467d1dbe20a.mycool.xyz tcp
US 13.248.252.114:8091 www.e512f15d-8804-45de-b423-7467d1dbe20a.mycool.xyz tcp
CN 223.109.148.178:80 alog.umeng.com tcp
US 99.83.138.213:8091 www.e512f15d-8804-45de-b423-7467d1dbe20a.mycool.xyz tcp
US 99.83.138.213:8091 www.e512f15d-8804-45de-b423-7467d1dbe20a.mycool.xyz tcp
US 99.83.138.213:8091 www.e512f15d-8804-45de-b423-7467d1dbe20a.mycool.xyz tcp
US 99.83.138.213:8091 www.e512f15d-8804-45de-b423-7467d1dbe20a.mycool.xyz tcp
CN 223.109.148.141:80 alog.umeng.com tcp
US 13.248.252.114:8091 www.e512f15d-8804-45de-b423-7467d1dbe20a.mycool.xyz tcp
US 13.248.252.114:8091 www.e512f15d-8804-45de-b423-7467d1dbe20a.mycool.xyz tcp
US 13.248.252.114:8091 www.e512f15d-8804-45de-b423-7467d1dbe20a.mycool.xyz tcp
US 13.248.252.114:8091 www.e512f15d-8804-45de-b423-7467d1dbe20a.mycool.xyz tcp
CN 223.109.148.179:80 alog.umeng.com tcp
US 99.83.138.213:8091 www.e512f15d-8804-45de-b423-7467d1dbe20a.mycool.xyz tcp
US 99.83.138.213:8091 www.e512f15d-8804-45de-b423-7467d1dbe20a.mycool.xyz tcp
US 99.83.138.213:8091 www.e512f15d-8804-45de-b423-7467d1dbe20a.mycool.xyz tcp
US 99.83.138.213:8091 www.e512f15d-8804-45de-b423-7467d1dbe20a.mycool.xyz tcp
CN 223.109.148.176:80 alog.umeng.com tcp
US 1.1.1.1:53 alog.umeng.co udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp

Files

/data/data/com.vbplon.laedinpr/databases/cc/cc.db-journal

MD5 db6ee123acb656b647cf0b639dff7f61
SHA1 f72851a071f1cee7125ca5afa319f5cd8520b1d6
SHA256 6aab4382b905f2f43d864bb1524ea2efaafda3f48e84f2e97f9b245a3e4b9fdd
SHA512 a80ca5c13f26df43683cad1cc6d5cf87cab6292c4413621daa76736df166d0d86e66d57c624d0b221f0f12b1f3ce8a212d560ebd89ff64c004d3149ee6bfb13c

/data/data/com.vbplon.laedinpr/databases/cc/cc.db

MD5 5d7ea1a23af19b4340cc8d90f28297d5
SHA1 4cfe95b23a9e98378d69c4290af81b51fbe76aea
SHA256 474c4a54534ed96beacad7cc9a805a3f53ec9c0522fc7bcc59771cf500a6a0da
SHA512 33071f4c92da0a3df01c4a61dd165df7c7e0f4f37753cafe02d19fc876a5e7fcbb01c069c804e140ab8bfa0644a55f50fd1373646d1c439f817baa5ffbd47f7b

/data/data/com.vbplon.laedinpr/databases/cc/cc.db-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.vbplon.laedinpr/databases/cc/cc.db-wal

MD5 4eeebc1122321ceca59516b340d54505
SHA1 806558c974508de55b3adf8db1d20c9166dc6dc8
SHA256 a9b4f77bcb42fd87e169f76cceb546786f18dd6bd43be90869106d4c221b90d3
SHA512 e86c210f9dbdad931e6a8021d1929fabb34099b6ae2a7d58d7e70503c05bfb4d49ae8455339a1aae2825f8834c7fd52d47d11d592215c468ea380928590d284a

/data/data/com.vbplon.laedinpr/files/umeng_it.cache

MD5 17efc9e853bd269452066e7757784b74
SHA1 c280beb55e887bb5ad42e4882e891662d2a26f82
SHA256 cd04cf1add42d34e72296c14b60e9faeec4686b8644bb55f7c983632f3c818cb
SHA512 0195c0deba2f7deb509a9a6b6758f60977dd55289672a84e84df25ef73f1b1951eb7daf34137ab7bb701a724b002782983137950be658cddbebed71e253030fd

/data/data/com.vbplon.laedinpr/files/.umeng/exchangeIdentity.json

MD5 87927cab159ef959b8d3cd418d29ed33
SHA1 875dc7ddc3c3f3c52ea971e1ff62ec438b17f17b
SHA256 e7ce481567997397ca0b39e63c4cdaeebf473706c58e90933ff586cb0df110ef
SHA512 7cba38b383a9ab8ae7a5e173537d3a229e54ab4274fdab6c0e9db56f366f1bc7e07189d49ada3da5efca5bfdb95d04c36582b8821783f79dd7107f66f0c9a393

/data/data/com.vbplon.laedinpr/databases/cc/cc.db-wal

MD5 5c7caa56e7ab5f099970d4045e0550a3
SHA1 2a3e07fe007ca0e3fdcd6da2633b9d001cddf90a
SHA256 c6c04a1a9b6b0510168e00db179c29520469e9d607370e388a4e4bccececad95
SHA512 f0fdec077efebbf1c7026bdeaec51d5a6615a599ccbbc26c26cd7b8a52b097e8a0ca5eadd8880f35bd8349f7bef7516aa106398bd79fd2761b2869c6ee75f315

/data/data/com.vbplon.laedinpr/databases/cc/cc.db

MD5 ce6135aa1b1fe4f2c2db2a546d2a5558
SHA1 79b59582154017aadab783dc266fcb158c252940
SHA256 7b45f576c08c7f78220168cca4a0e33198b13e9bdc8b1da406ddb6887412000c
SHA512 2839075fe374c8567c839ae35ce2d33ec72fdaebf170aa7d224b555e5b0e74d4a43f2f67d17ed806dae841da883e9620d788ea052d06152678afa927307c7ce4

/data/data/com.vbplon.laedinpr/files/.um/um_cache_1729167480365.env

MD5 025beccc3cf7f2019202901671589f25
SHA1 b14091120eadec31834e00863123d0d290330685
SHA256 f4a2151a5a5418c49b0cf57c1b2ed9d53e8849a0c3adb206bed8786956f791b3
SHA512 06a13b75a6b07563490f29d1607985a052ccba9be524bb78c0532e7d0e54392cca476819cd062dd8f7cfd53c98b23893e79a1b8b756525413ba64a261514a11b

/data/data/com.vbplon.laedinpr/files/mobclick_agent_cached_com.vbplon.laedinpr3765371

MD5 f0e5660a365998ae4529c3ca125dc2a3
SHA1 863dca6415d2446acc0791f21f9e2abff7ef9774
SHA256 59b79fc3a5792925ac032ef65764b2356569852d988ee49e5fbd095ef93fbd3d
SHA512 50fb7fe113057667199f3227491d939fac9a78b5f3022e711fd3e17f511df0b40a1bfe964d11824b460a3426ea4703810b7c28fb215808e83017f6f382efab35

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-17 12:16

Reported

2024-10-17 12:19

Platform

android-33-x64-arm64-20240624-en

Max time kernel

7s

Max time network

132s

Command Line

com.vbplon.laedinpr

Signatures

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.vbplon.laedinpr

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.200.36:443 udp
GB 142.250.200.36:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.178.14:443 android.apis.google.com tcp
US 1.1.1.1:53 www.f2c4faa7-3439-4bd3-93dc-4b63b687c172.mycool.xyz udp
US 13.248.252.114:8091 www.f2c4faa7-3439-4bd3-93dc-4b63b687c172.mycool.xyz tcp
US 1.1.1.1:53 rcs-acs-tmo-us.jibe.google.com udp
US 216.239.36.155:443 rcs-acs-tmo-us.jibe.google.com tcp
US 99.83.138.213:8091 www.f2c4faa7-3439-4bd3-93dc-4b63b687c172.mycool.xyz tcp
US 1.1.1.1:53 remoteprovisioning.googleapis.com udp
GB 216.58.204.74:443 remoteprovisioning.googleapis.com tcp
US 13.248.252.114:8091 www.f2c4faa7-3439-4bd3-93dc-4b63b687c172.mycool.xyz tcp
US 172.64.41.3:443 tcp
US 172.64.41.3:443 tcp
GB 216.58.201.99:443 tcp
US 172.64.41.3:443 udp
GB 216.58.201.99:443 udp
US 99.83.138.213:8091 www.f2c4faa7-3439-4bd3-93dc-4b63b687c172.mycool.xyz tcp
GB 142.250.200.36:443 tcp
GB 216.58.204.68:443 tcp
GB 216.58.204.68:443 tcp
GB 142.250.200.36:443 udp
US 13.248.252.114:8091 www.f2c4faa7-3439-4bd3-93dc-4b63b687c172.mycool.xyz tcp
US 99.83.138.213:8091 www.f2c4faa7-3439-4bd3-93dc-4b63b687c172.mycool.xyz tcp

Files

N/A