Malware Analysis Report

2025-08-11 07:09

Sample ID 241017-qqgbjasfpm
Target 5237db4fc88723d8ff2ad36eca190c3a_JaffaCakes118
SHA256 0cfdff6fcee391b9f8c7edad51cd3c081f0cf3259966371c4e2770f3a4b51cfe
Tags
banker discovery evasion impact
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

0cfdff6fcee391b9f8c7edad51cd3c081f0cf3259966371c4e2770f3a4b51cfe

Threat Level: Shows suspicious behavior

The file 5237db4fc88723d8ff2ad36eca190c3a_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

banker discovery evasion impact

Checks Android system properties for emulator presence.

Loads dropped Dex/Jar

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Queries information about the current Wi-Fi connection

Queries information about active data network

Requests dangerous framework permissions

Uses Crypto APIs (Might try to encrypt user data)

Checks CPU information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-17 13:27

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-17 13:27

Reported

2024-10-17 13:30

Platform

android-x86-arm-20240624-en

Max time kernel

87s

Max time network

130s

Command Line

com.fittg.qvvbmmn

Signatures

Checks Android system properties for emulator presence.

evasion
Description Indicator Process Target
Accessed system property key: ro.serialno N/A N/A
Accessed system property key: ro.product.model N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/data/com.fittg.qvvbmmn/posrr.jar N/A N/A
N/A /data/data/com.fittg.qvvbmmn/posrr.jar N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Description Indicator Process Target
N/A alog.umeng.com N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Processes

com.fittg.qvvbmmn

/system/bin/dex2oat --debuggable --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --debuggable --generate-mini-debug-info --dex-file=/data/data/com.fittg.qvvbmmn/posrr.jar --output-vdex-fd=45 --oat-fd=46 --oat-location=/data/data/com.fittg.qvvbmmn/oat/x86/posrr.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 app.tbjyz.com udp
US 1.1.1.1:53 mppay.net udp
US 1.1.1.1:53 tools.zhxapp.com udp
US 1.1.1.1:53 device.dunxingpay.com udp
US 1.1.1.1:53 data.iapppay.com udp
HK 47.242.162.24:80 device.dunxingpay.com tcp
US 1.1.1.1:53 wangjun.cdn.bcebos.com udp
US 192.250.205.11:8083 data.iapppay.com tcp
US 1.1.1.1:53 device1.dunxingpay.com udp
US 1.1.1.1:53 alog.umeng.com udp
HK 47.242.162.24:80 device1.dunxingpay.com tcp
CN 223.109.148.177:80 alog.umeng.com tcp
GB 216.58.204.78:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.212.206:443 android.apis.google.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
CN 223.109.148.179:80 alog.umeng.com tcp
CN 223.109.148.176:80 alog.umeng.com tcp
US 1.1.1.1:53 alog.umeng.co udp

Files

/data/data/com.fittg.qvvbmmn/posrr.jar

MD5 79738c91f8538709a618484e6e2f1ebf
SHA1 75a58cb5c1906041191e3e9f945aadbaba7fef26
SHA256 bb9277e4b9808ab386cd2c269a4fa443034e176ddbdbf166aeb3aff469370986
SHA512 d20b0ebcde5f6f7aa281182e8b20423f8e7eb6f6e219a5b874742bd18035f53bdb1bca2db7b8e2b17e419ca83e2ec4bb6de75d81ed5626914a86a2c4d5439746

/data/data/com.fittg.qvvbmmn/posrr.jar

MD5 96b7d19d02f70c5ae0b0679ce704026a
SHA1 bb9230d1b3c5cf63a8ea86f0b567e85d0bfbf82e
SHA256 e88362458dd10dec046b401232edc98b36653fafdba683c0f696feae616e1a8d
SHA512 2b93cfee34875037383d308864d456dff49ca2a88305444c627868a86ad30eea946e3cdaeb93b488937fe0d423ee7741ff2455872b941096598d88ebab5526c4

/data/data/com.fittg.qvvbmmn/files/qdbh

MD5 66df243d406353d0e9db6c5dd027d2d6
SHA1 a95eedef9091a0498339e0abc4388fd1b4a3da12
SHA256 29433eae6f7f1308d9799275f3a90a0afe1fef0e1818a7c7a4f0aa686493fecb
SHA512 c71660ba645c1080a296f0be0ea98dc10e391fae491c08619e8edeba27c9a8d122323e388ce5fd32e4669440b7cdc72b767b7b290829f9102e5acc9f7306068a

/data/data/com.fittg.qvvbmmn/files/.deviceid

MD5 f2b4bf6e97614db8bffc8ab4055baf4a
SHA1 d2cd7c38e5723c3d2e4f73e7b0d60db7a1dc1ad4
SHA256 57d18a74c80370fa02fcb7025754444f4daea409ff962051d79368baa9f00b68
SHA512 423af2cd99472e76a8680e2c12e9a2d4fbef03cd930c501a1e450d13698df1e71fca681058bed96f36e5fe4a09d814b672105c05c87a802cd320bbe263c2bd89

/storage/emulated/0/iapppay/statistics/com.fittg.qvvbmmn/statistics.log

MD5 1067b7dcf1e108e3e529d728d2df3f64
SHA1 f0252a3a97afc6fe8314032833571fb379b9b040
SHA256 89f024864ae1496a5887e5b53c41034e43861ab3e7ec0ec515ddae424a751812
SHA512 bd8171863e57a8f11a4f1c50f74b69783e1736108c6a76d11ad8a49554d603a950ac6ab48fe9159c0ce0296318ac82d48f9b0cdd1e414471537159e9ddd4dc10

/data/data/com.fittg.qvvbmmn/databases/cc/cc.db-journal

MD5 b284b9a711ffb576a8877b9c91b16418
SHA1 ac315dbee2751c597f8523bbd52cc406fe460ca1
SHA256 a8998601f6431d2513311a3213cb7a848fe39e6a5540c5f88ad39696c22200cb
SHA512 3e6066f470993b826a2ea9f63270edf6e3eb88c1f19fb66e4a78d25049d9eb16a2f7f11342b51fb3a89f448183badcecdc8af637b807486cee90718146924efc

/data/data/com.fittg.qvvbmmn/databases/cc/cc.db

MD5 5d7ea1a23af19b4340cc8d90f28297d5
SHA1 4cfe95b23a9e98378d69c4290af81b51fbe76aea
SHA256 474c4a54534ed96beacad7cc9a805a3f53ec9c0522fc7bcc59771cf500a6a0da
SHA512 33071f4c92da0a3df01c4a61dd165df7c7e0f4f37753cafe02d19fc876a5e7fcbb01c069c804e140ab8bfa0644a55f50fd1373646d1c439f817baa5ffbd47f7b

/data/data/com.fittg.qvvbmmn/databases/cc/cc.db-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.fittg.qvvbmmn/databases/cc/cc.db-wal

MD5 4707319659e15c90d9457278e314ca7d
SHA1 b98e6d7202b6e29255039f9739c57c9feb841d6a
SHA256 ba91a0ff9a79531941990a323857c70d7f395c294ef2c22f5bbfa8dea67b772b
SHA512 db0973b3f9f22f7cdfc71e78a30900ccc2d1a6ee326065fd8f3a0e70b1feba4bde611429045223e5be2eec4b0f0ec93dc49a70fa5fd936a8eb317cd5f1f3255c

/storage/emulated/0/.UTSystemConfig/Global/Alvin2.xml

MD5 9781ca003f10f8d0c9c1945b63fdca7f
SHA1 4156cf5dc8d71dbab734d25e5e1598b37a5456f4
SHA256 3325d2a819fdd8062c2cdc48a09b995c9b012915bcdf88b1cf9742a7f057c793
SHA512 25a9877e274e0e9df29811825bd4f680fa0bf0ae6219527e4f1dcd17d0995d28b2926192d961a06ee5bef2eed73b3f38ec4ffdd0a1cda7ff2a10dc5711ffdf03

/storage/emulated/0/.UTSystemConfig/Global/Alvin2.xml

MD5 12e11b85fd60e90ca2a98bbb13e0d43e
SHA1 be62636d12539e8ac629f6b7280996f06bbf073c
SHA256 2caa2d520cd07a4e2275df4a182578c6617debc36a93f339145b29e50ebaa413
SHA512 cd99a5d7ae3cc4ce423dc562f3553c432ec88279624e2f67be102acdfb8ba11c29873fea7b9c8a53ac3c8e5a7bd51f3d13a2650ae0e9b3aaabbbdf603769359c

/storage/emulated/0/.DataStorage/ContextData.xml

MD5 d958617d8c50c5a2d3e2d86951d26063
SHA1 dcba2f3caec5b54204f3f1289af0af1134a83fc4
SHA256 90c929829a3413f82bcb199fd053ce34c221735732f3add6cd17374db5428112
SHA512 efbd5079614e76dafda4c0c7f0a3728937bc9f35733f132d73c5c85bcd965b803964c9e35e323f102d6bf6df9531445a6ad4356ca732c0c9517aaf6c49313969

/storage/emulated/0/.UTSystemConfig/Global/Alvin2.xml

MD5 3cb76dfb615717f889a4379871ee10df
SHA1 edc578bfa5955bee3b9b45534b647964b89ea4da
SHA256 bb038df214528ae4ca2148001aba0d409a5bbc9993de1af7f6874f52aab42752
SHA512 d537501ece33b3ebfd72adf483b3abc7ec4dcc3f756bcbcc3aa2a3c94adaac84dbba02d7adec993d172593ba2dd578cca61e71c9b2d9558e04b373c6d5b2c7e9

/data/data/com.fittg.qvvbmmn/files/umeng_it.cache

MD5 e7ffee1cfc8f96a2e89b6edc57d46439
SHA1 0aa185ed73f858abd4847056507f6bad424c7a5f
SHA256 fe6da18b39361a44fcce34a5298e70318db5b8977ce6bfa618137dad2aa00c41
SHA512 ec286f0e6c5895dc13e70cd48e4c2f9e858cb7acc1ba74f7218b62bf554549db5e325d31d16d89dd6f8dd6fc444b2b8bb8b77f8c6caa6822a009844570fbad81

/data/data/com.fittg.qvvbmmn/files/.umeng/exchangeIdentity.json

MD5 82e2da9a65b5fe3432d17f077450172b
SHA1 9b367eaf792c2aa90a91897a605d059a9bbf3231
SHA256 588b56f4fd4a1b8a93dfe6e9a47126c84d36aaf0b1593d2384a3bc0fdbbd5470
SHA512 b049a17aa9475b52ace67b67faf3869cc1333a9276953bee4c9e28d417560078a43db96e32a5797c8a63ec3420456296ca97d71060acdac8b42c52b13e5d6dcb

/data/data/com.fittg.qvvbmmn/databases/cc/cc.db-wal

MD5 083d240ee67f3b5330bc605483152ef5
SHA1 f82c1871b75a0ef6df5ca0dcb49071c512a96773
SHA256 a775751de6e9df52c354fb80f814c4156235ceee38f1b6bbff612329e2aea107
SHA512 e861819e201b5ce5228851ee8fde370011627ea4a37b493ea49a4fd7b3ae56592896acc887d8b50516f07767760d9f791f75246ce4d7f350ec62ac2814cdacef

/data/data/com.fittg.qvvbmmn/databases/cc/cc.db

MD5 ce6135aa1b1fe4f2c2db2a546d2a5558
SHA1 79b59582154017aadab783dc266fcb158c252940
SHA256 7b45f576c08c7f78220168cca4a0e33198b13e9bdc8b1da406ddb6887412000c
SHA512 2839075fe374c8567c839ae35ce2d33ec72fdaebf170aa7d224b555e5b0e74d4a43f2f67d17ed806dae841da883e9620d788ea052d06152678afa927307c7ce4

/data/data/com.fittg.qvvbmmn/files/.um/um_cache_1729171740930.env

MD5 8a75e223012ff1fdde39ada31f130322
SHA1 392acc9478ee32d2f1b091e978bd24cc3c8e27e4
SHA256 e01630354634b0f8232892a18e2130ee7e9b6517ad40dd820abbd5e962d95e32
SHA512 389a4d560f8d598ed890cea59ef7569cbbafab3d1d911ab2a94b54259db0d2deec4eef0af051eafcf67cfd279935bfccd8875d59ae31c0299a58b9cc1b94b458