Malware Analysis Report

2025-08-11 07:09

Sample ID 241017-q1x22ataqq
Target 524201c0a1489e916d3ed2205acced95_JaffaCakes118
SHA256 b73ae25d0bfaf275a363a0ac19ab6d973beceb72517b1e5bc82e5c9e10760ff0
Tags
banker discovery evasion persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

b73ae25d0bfaf275a363a0ac19ab6d973beceb72517b1e5bc82e5c9e10760ff0

Threat Level: Shows suspicious behavior

The file 524201c0a1489e916d3ed2205acced95_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

banker discovery evasion persistence

Queries the phone number (MSISDN for GSM devices)

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Queries information about active data network

Queries the mobile country code (MCC)

Reads information about phone network operator.

Requests dangerous framework permissions

Checks the presence of a debugger

Listens for changes in the sensor environment (might be used to detect emulation)

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks CPU information

Checks memory information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-17 13:44

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-17 13:44

Reported

2024-10-17 13:46

Platform

android-x86-arm-20240624-en

Max time kernel

133s

Max time network

137s

Command Line

vn.adflex.process

Signatures

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Checks the presence of a debugger

evasion

Listens for changes in the sensor environment (might be used to detect emulation)

evasion
Description Indicator Process Target
Framework API call android.hardware.SensorManager.registerListener N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

vn.adflex.process

com.perracolabs.cpd

com.perracolabs.cpd:MediaHandlerServiceCP

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ads.adflex.vn udp
VN 125.212.201.144:80 ads.adflex.vn tcp
VN 125.212.201.144:80 ads.adflex.vn tcp
VN 125.212.201.144:80 ads.adflex.vn tcp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 tracking.adflex.vn udp
VN 125.212.201.144:80 tracking.adflex.vn tcp

Files

/data/data/com.perracolabs.cpd/files/v17st

MD5 c7525193970d2036521f047aa3752787
SHA1 074816f8bb1a16fbb8c5ab9715d04a36a5d88445
SHA256 32d29b113ffa256da828daa5929efbacc8a7d4e9c18c3fee679cabc3d753346f
SHA512 0971f60f74d15d586ff0a969f2991e6fe6b7a4c066e1ca27926087d0070f0eaf74e491c672096efc4f5fbb9e3febd09e8f66388bab8b58063c08e019e3b9af3a

/data/data/com.perracolabs.cpd/files/v17st

MD5 2c5ad5585ccbe32c9e73eda9c8571744
SHA1 ceae193b2961231cd57e205788ed5bd06bf9ca5c
SHA256 7bc86a3a0ffc6dc201d5404a82527c01d95a7110ad27b349efed0c29d17302b4
SHA512 78a9879501fce35f2e9fafe514be51b048989fdea24090df1606a0929a3173b302475f7049a1388d310647d2ed0f584ae1aa953a9945b7f1f8552a865c7ea9ff

/data/data/com.perracolabs.cpd/files/v17st

MD5 7415739965b0801d81aac0955ebfb73c
SHA1 0e9439f43d63ec198210da3b0941bffe9f9fc105
SHA256 9fefec63eb8becc8febbbd6c0ed0ad2fed4c6312545bdfda7ef35f04ab2ec6fa
SHA512 677cf2127c8392d22bd0500e04698bb5b4577ff8f102ece2be7ec9b16417a41dbf568b43f326e1523b521b49936d2803890758d0824a3086c58d6684f4931770

/data/data/com.perracolabs.cpd/files/v17st

MD5 f8df29f7a30fc0669008b9a2b7d8aac4
SHA1 8d9109664b26745d11f64e3e8cc3c94dc1bda664
SHA256 6e0feff45f308744c453f98d01008173edffc2f4c2557046495d2a70516390a8
SHA512 97cd818f2817d8408bf428b74737fae7b519355445ba7d8e13dd90ed8bceac24b8eab12204d9571db9ff683474ba7bd54af96323de718950bc9066b7c31c7cf4

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-17 13:44

Reported

2024-10-17 13:44

Platform

android-33-x64-arm64-20240624-en

Max time network

6s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.187.196:443 udp
GB 142.250.187.196:443 tcp

Files

N/A